I’m forwarding alerts from my dev cluster to my observability cluster, and I’d like to add the "env" to the tags of each rule.
I already did something similar using customfields: "env:dev" but using tags I would also be able to filter by it in the UI, which I like better.
I know it’s possible using something like this:
- rule: Some Rule Name
tags: [my_new_tag]
override:
tags: append
But it would require me to go over each rule manually. I was hoping this would work:
It can be supporting a wildcard for rule names or maybe sidekick can do this somehow (not sure).
Alternatives
For now I thought I can use an initContainer like this:
extra:
initContainers:
- name: add-kuku-tag
image: alpine/k8s:1.28.13
env:
- name: TAG
value: "kuku"
- name: RULES_DIR
value: "/etc/falco"
- name: FALCOCTL_CONFIG
value: "/etc/falcoctl/falcoctl.yaml"
command: ["/bin/sh"]
args:
- -c
- |
#!/bin/sh
# Install falcoctl
LATEST=$(curl -sI https://github.com/falcosecurity/falcoctl/releases/latest | awk '/location: /{gsub("\r","",$2);split($2,v,"/");print substr(v[8],2)}')
curl --fail -LS "https://github.com/falcosecurity/falcoctl/releases/download/v${LATEST}/falcoctl_${LATEST}_linux_amd64.tar.gz" | tar -xz
install -o root -g root -m 0755 falcoctl /usr/local/bin/falcoctl
# Add the Falco index
falcoctl index add falcosecurity https://falcosecurity.github.io/falcoctl/index.yaml
# Fix bug where falcoctl would fail to pull from the registry due to auth error
yq eval 'del(.registry.auth)' -i $FALCOCTL_CONFIG
# Install falco-rules artifact
falcoctl artifact install falco-rules:3 \
--allowed-types rulesfile,plugin \
--resolve-deps \
--rulesfiles-dir /rulesfiles \
--plugins-dir /plugins || { echo "Failed to install falco-rules"; exit 1; }
# Copy the installed rules to the shared volume
cp -r /rulesfiles/* "$RULES_DIR/"
echo "Copied rules to $RULES_DIR"
ls -la "$RULES_DIR"
# Add TAG to the tags list in falco_rules.yaml
yq eval --inplace '.[].tags += ["'$TAG'"]' "$RULES_DIR/falco_rules.yaml"
echo "Added tag '$TAG' to falco_rules.yaml"
volumeMounts:
- name: rulesfiles
mountPath: /rulesfiles
- name: plugins
mountPath: /plugins
- name: rulesfiles-install-dir
mountPath: /etc/falco
This works, but the rules will be overridden by the Falco Follower in the future, I would need to restart the pod to have the initContainer do its thing again, which isn't ideal.
Additional context
The customfields option is nice, but the Tags in the UI are actually filterable from the menu, which is way more convenient when looking for custom rules for example.
Motivation
I’m forwarding alerts from my dev cluster to my observability cluster, and I’d like to add the "env" to the tags of each rule. I already did something similar using
customfields: "env:dev"
but using tags I would also be able to filter by it in the UI, which I like better. I know it’s possible using something like this:But it would require me to go over each rule manually. I was hoping this would work:
But it’s bad syntax 😄
Feature
It can be supporting a wildcard for rule names or maybe sidekick can do this somehow (not sure).
Alternatives
For now I thought I can use an initContainer like this:
This works, but the rules will be overridden by the Falco Follower in the future, I would need to restart the pod to have the initContainer do its thing again, which isn't ideal.
Additional context
The
customfields
option is nice, but theTags
in the UI are actually filterable from the menu, which is way more convenient when looking for custom rules for example.Thanks