Error: Plugin 'k8saudit' version '0.5.0' is not compatible with required plugin version '0.5.2'

[vinylen]

Describe the bug

Falco version 0.34.1 is in a CrashLoopBackOff state and the logs complain about the following:

Error: Plugin 'k8saudit' version '0.5.0' is not compatible with required plugin version '0.5.2'

This has affected all of our Falco deployments across several clusters.

How to reproduce it

Deploy Falco with JSON & k8saudit plugins loaded version 0.34.1 and the pods will enter CrashLoobBackOff state with the error posted above.

Expected behaviour

Running Falco pods with working k8saudit plugin 0.5.0 OR 0.5.2 loaded.

Screenshots

Environment

• Falco version:
• System info: 0.34.1 (x86_64)
• Cloud provider or hardware configuration: K8s running on Openstack
• OS: Ubuntu 22.04
• Kernel: 5.15.0-67-generic
• Installation method: Kubernetes & Helm

Additional context

This is our values.yaml file:

# Default values for Falco.

###############################
# General deployment settings #
###############################

image:
  # -- The image pull policy.
  pullPolicy: IfNotPresent
  # -- The image registry to pull from.
  registry: docker.io
  # -- The image repository to pull from
  repository: falcosecurity/falco-no-driver
  # -- The image tag to pull. Overrides the image tag whose default is the chart appVersion.
  tag: ""

# -- Secrets containing credentials when pulling from private/secure registries.
imagePullSecrets: []
# -- Put here the new name if you want to override the release name used for Falco components.
nameOverride: ""
# -- Same as nameOverride but for the fullname.
fullnameOverride: ""
# -- Override the deployment namespace
namespaceOverride: ""

rbac:
  # Create and use rbac resources when set to true. Needed to fetch k8s metadata from the api-server.
  create: true

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

# -- Add additional pod annotations
podAnnotations: {}

# -- Add additional pod labels
podLabels: {}

# -- Set pod priorityClassName
podPriorityClassName:

# -- Set securityContext for the pods
# These security settings are overriden by the ones specified for the specific
# containers when there is overlap.
podSecurityContext: {}

# Note that `containerSecurityContext`:
#  - will not apply to init containers, if any;
#  - takes precedence over other automatic configurations (see below).
#
# Based on the `driver` configuration the auto generated settings are:
# 1) driver.enabled = false:
#    securityContext: {}
#
# 2) driver.enabled = true and (driver.kind = module || driver.kind = modern-bpf):
#    securityContext:
#     privileged: true
#
# 3) driver.enabled = true and driver.kind = ebpf:
#    securityContext:
#     privileged: true
#
# 4) driver.enabled = true and driver.kind = ebpf and driver.ebpf.leastPrivileged = true
#    securityContext:
#     capabilities:
#      add:
#      - BPF
#      - SYS_RESOURCE
#      - PERFMON
#      - SYS_PTRACE
#
# -- Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl"
containerSecurityContext: {}

scc:
  # -- Create OpenShift's Security Context Constraint.
  create: false

resources:
  # -- Although resources needed are subjective on the actual workload we provide
  # a sane defaults ones. If you have more questions or concerns, please refer
  # to #falco slack channel for more info about it.
  requests:
    cpu: 100m
    memory: 512Mi
  # -- Maximum amount of resources that Falco container could get.
  # If you are enabling more than one source in falco, than consider to increase
  # the cpu limits.
  limits:
    cpu: 1000m
    memory: 1024Mi
# -- Selectors used to deploy Falco on a given node/nodes.
nodeSelector: {}

# -- Affinity constraint for pods' scheduling.
affinity: {}

# -- Tolerations to allow Falco to run on Kubernetes masters.
tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane

# -- Parameters used
healthChecks:
  livenessProbe:
    # -- Tells the kubelet that it should wait X seconds before performing the first probe.
    initialDelaySeconds: 60
    # -- Number of seconds after which the probe times out.
    timeoutSeconds: 5
    # -- Specifies that the kubelet should perform the check every x seconds.
    periodSeconds: 15
  readinessProbe:
    # -- Tells the kubelet that it should wait X seconds before performing the first probe.
    initialDelaySeconds: 30
    # -- Number of seconds after which the probe times out.
    timeoutSeconds: 5
    # -- Specifies that the kubelet should perform the check every x seconds.
    periodSeconds: 15

# -- Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted.
# Set it to "true" when you need the Falco logs to be immediately displayed.
tty: true

#########################
# Scenario requirements #
#########################

# Sensors dislocation configuration (scenario requirement)
controller:
  # Available options: deployment, daemonset.
  kind: daemonset
  # Annotations to add to the daemonset or deployment
  annotations: {}
  daemonset:
    updateStrategy:
      # You can also customize maxUnavailable or minReadySeconds if you
      # need it
      # -- Perform rolling updates by default in the DaemonSet agent
      # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
      type: RollingUpdate
  deployment:
    # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing.
    # For more info check the section on Plugins in the README.md file.
    replicas: 1

# -- Network services configuration (scenario requirement)
# Add here your services to be deployed together with Falco.
services:
  - name: k8saudit-webhook
    type: NodePort
    ports:
      - port: 9765 # See plugin open_params
        nodePort: 30007
        protocol: TCP
  # Example configuration for the "k8sauditlog" plugin
  # - name: k8saudit-webhook
  #   type: NodePort
  #   ports:
  #     - port: 9765 # See plugin open_params
  #       nodePort: 30007
  #       protocol: TCP

# File access configuration (scenario requirement)
mounts:
  # -- A list of volumes you want to add to the Falco pods.
  volumes: []
  # -- A list of volumes you want to add to the Falco pods.
  volumeMounts: []
  # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins).
  enforceProcMount: false

# Driver settings (scenario requirement)
driver:
  # -- Set it to false if you want to deploy Falco without the drivers.
  # Always set it to false when using Falco with plugins.
  enabled: true
  # -- Tell Falco which driver to use. Available options: module (kernel driver), ebpf (eBPF probe), modern-bpf (modern eBPF probe).
  kind: modern-bpf
  # -- Configuration section for ebpf driver.
  ebpf:
    # -- Path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init
    # container deployed with the chart.
    path:
    # -- Needed to enable eBPF JIT at runtime for performance reasons.
    # Can be skipped if eBPF JIT is enabled from outside the container
    hostNetwork: false
    # -- Constrain Falco with capabilities instead of running a privileged container.
    # This option is only supported with the eBPF driver and a kernel >= 5.8.
    # Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`).
    leastPrivileged: false
  # -- Configuration for the Falco init container.
  loader:
    # -- Enable/disable the init container.
    enabled: true
    initContainer:
      image:
        # -- The image pull policy.
        pullPolicy: IfNotPresent
        # -- The image registry to pull from.
        registry: docker.io
        # -- The image repository to pull from.
        repository: falcosecurity/falco-driver-loader
        #  -- Overrides the image tag whose default is the chart appVersion.
        tag: ""
      # -- Extra environment variables that will be pass onto Falco driver loader init container.
      env: []
      # -- Arguments to pass to the Falco driver loader init container.
      args: []
      # -- Resources requests and limits for the Falco driver loader init container.
      resources: {}
      # -- Security context for the Falco driver loader init container. Overrides the default security context. If driver.kind == "module" you must at least set `privileged: true`.
      securityContext: {}

# -- Gvisor configuration. Based on your system you need to set the appropriate values.
# Please, rembember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes.
gvisor:
  # -- Set it to true if you want to deploy Falco with gVisor support.
  enabled: false
  # -- Runsc container runtime configuration. Falco needs to interact with it in order to intercept the activity of the sandboxed pods.
  runsc:
    # -- Absolute path of the `runsc` binary in the k8s nodes.
    path: /home/containerd/usr/local/sbin
    # -- Absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it;
    root: /run/containerd/runsc
    # -- Absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence.
    config: /run/containerd/runsc/config.toml

# Collectors for data enrichment (scenario requirement)
collectors:
  # -- Enable/disable all the metadata collectors.
  enabled: true

  docker:
    # -- Enable Docker support.
    enabled: false
    # -- The path of the Docker daemon socket.
    socket: /var/run/docker.sock

  containerd:
    # -- Enable ContainerD support.
    enabled: true
    # -- The path of the ContainerD socket.
    socket: /run/k3s/containerd/containerd.sock

  crio:
    # -- Enable CRI-O support.
    enabled: false
    # -- The path of the CRI-O socket.
    socket: /run/crio/crio.sock

  kubernetes:
    # -- Enable Kubernetes meta data collection via a connection to the Kubernetes API server.
    # When this option is disabled, Falco falls back to the container annotations to grap the meta data.
    # In such a case, only the ID, name, namespace, labels of the pod will be available.
    enabled: false
    # -- The apiAuth value is to provide the authentication method Falco should use to connect to the Kubernetes API.
    # The argument's documentation from Falco is provided here for reference:
    #
    #  <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]
    #     Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.
    #     Each entry must specify full (absolute, or relative to the current directory) path to the respective file.
    #     Private key password is optional (needed only if key is password protected).
    #     CA certificate is optional. For all files, only PEM file format is supported.
    #     Specifying CA certificate only is obsoleted - when single entry is provided
    #     for this option, it will be interpreted as the name of a file containing bearer token.
    #     Note that the format of this command-line option prohibits use of files whose names contain
    #     ':' or '#' characters in the file name.
    # -- Provide the authentication method Falco should use to connect to the Kubernetes API.
    apiAuth: /var/run/secrets/kubernetes.io/serviceaccount/token
    ## -- Provide the URL Falco should use to connect to the Kubernetes API.
    apiUrl: "https://$(KUBERNETES_SERVICE_HOST)"
    # -- If true, only the current node (on which Falco is running) will be considered when requesting metadata of pods
    # to the API server. Disabling this option may have a performance penalty on large clusters.
    enableNodeFilter: true

###########################
# Extras and customization #
############################

extra:
  # -- Extra environment variables that will be pass onto Falco containers.
  env: []
  # -- Extra command-line arguments.
  args: []
  # -- Additional initContainers for Falco pods.
  initContainers: []

# -- certificates used by webserver and grpc server.
# paste certificate content or use helm with --set-file
# or use existing secret containing key, crt, ca as well as pem bundle
certs:
  # -- Existing secret containing the following key, crt and ca as well as the bundle pem.
  existingSecret: ""
  server:
    # -- Key used by gRPC and webserver.
    key: ""
    # -- Certificate used by gRPC and webserver.
    crt: ""
  ca:
    # -- CA certificate used by gRPC, webserver and AuditSink validation.
    crt: ""
# -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
customRules:
  {}
  # Although Falco comes with a nice default rule set for detecting weird
  # behavior in containers, our users are going to customize the run-time
  # security rule sets or policies for the specific container images and
  # applications they run. This feature can be handled in this section.
  #
  # Example:
  #
  # rules-traefik.yaml: |-
  #   [ rule body ]

########################
# Falco integrations   #
########################

# -- For configuration values, see https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml
falcosidekick:
  # -- Enable falcosidekick deployment.
  enabled: false
  # -- Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used).
  fullfqdn: false
  # -- Listen port. Default value: 2801
  listenPort: ""

####################
# falcoctl config  #
####################
falcoctl:
  image:
    # -- The image pull policy.
    pullPolicy: IfNotPresent
    # -- The image registry to pull from.
    registry: docker.io
    # -- The image repository to pull from.
    repository: falcosecurity/falcoctl
    #  -- Overrides the image tag whose default is the chart appVersion.
    tag: "0.4.0"
  artifact:
    # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before
    # Falco starts. It provides them to Falco by using an emptyDir volume.
    install:
      enabled: true
      # -- Extra environment variables that will be pass onto falcoctl-artifact-install init container.
      env: {}
      # -- Arguments to pass to the falcoctl-artifact-install init container.
      args: ["--verbose"]
      # -- Resources requests and limits for the falcoctl-artifact-install init container.
      resources: {}
      # -- Security context for the falcoctl init container.
      securityContext: {}
    # -- Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for
    # updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir)
    # that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the
    # correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible
    # with the running version of Falco before installing it.
    follow:
      enabled: true
      # -- Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container.
      env: {}
      # -- Arguments to pass to the falcoctl-artifact-follow sidecar container.
      args: ["--verbose"]
      # -- Resources requests and limits for the falcoctl-artifact-follow sidecar container.
      resources: {}
      # -- Security context for the falcoctl-artifact-follow sidecar container.
      securityContext: {}
  # -- Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers.
  config:
    # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see:
    # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview
    indexes:
    - name: falcosecurity
      url: https://falcosecurity.github.io/falcoctl/index.yaml
    # -- Configuration used by the artifact commands.
    artifact:
      # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained
      # in the list it will refuse to downloade and install that artifact.
      allowedTypes:
        - rulesfile
      install:
        # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
        resolveDeps: false
        # -- List of artifacts to be installed by the falcoctl init container.
        refs: [falco-rules:0, k8saudit-rules:0.5]
        # -- Directory where the rulesfiles are saved. The path is relative to the container, which in this case is an emptyDir
        # mounted also by the Falco pod.
        rulesfilesDir: /rulesfiles
        # -- Same as the one above but for the artifacts.
        pluginsDir: /plugins
      follow:
      # -- List of artifacts to be followed by the falcoctl sidecar container.
        refs: [falco-rules:0, k8saudit-rules:0.5]
        # -- How often the tool checks for new versions of the followed artifacts.
        every: 6h
        # -- HTTP endpoint that serves the api versions of the Falco instance. It is used to check if the new versions are compatible
        # with the running Falco instance.
        falcoversions: http://localhost:8765/versions
        # -- See the fields of the artifact.install section.
        rulesfilesDir: /rulesfiles
        # -- See the fields of the artifact.install section.
        pluginsDir: /plugins

######################
# falco.yaml config  #
######################
falco:
# File(s) or Directories containing Falco rules, loaded at startup.
# The name "rules_file" is only for backwards compatibility.
# If the entry is a file, it will be read directly. If the entry is a directory,
# every file in that directory will be read, in alphabetical order.
#
# falco_rules.yaml ships with the falco package and is overridden with
# every new software version. falco_rules.local.yaml is only created
# if it doesn't exist. If you want to customize the set of rules, add
# your customizations to falco_rules.local.yaml.
#
# The files will be read in the order presented here, so make sure if
# you have overrides they appear in later files.
  # -- The location of the rules files that will be consumed by Falco.
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d

  #
  # Plugins that are available for use. These plugins are not loaded by
  # default, as they require explicit configuration to point to
  # cloudtrail log files.
  #

  # To learn more about the supported formats for
  # init_config/open_params for the cloudtrail plugin, see the README at
  # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
  # -- Plugins configuration. Add here all plugins and their configuration. Please
  # consult the plugins documentation for more info. Remember to add the plugins name in
  # "load_plugins: []" in order to load them in Falco.
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
        useAsync: false
      #   maxEventSize: 262144
      #   webhookMaxBatchSize: 12582912
      #   sslCertificate: /etc/falco/falco.pem
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""

  # Setting this list to empty ensures that the above plugins are *not*
  # loaded and enabled by default. If you want to use the above plugins,
  # set a meaningful init_config/open_params for the cloudtrail plugin
  # and then change this to:
  # load_plugins: [cloudtrail, json]
  # -- Add here the names of the plugins that you want to be loaded by Falco. Please make sure that
  # plugins have been configured under the "plugins" section before adding them here.
  # Please make sure to configure the falcoctl tool to download and install the very same plugins
  # you are loading here. You should add the references in the falcoctl.config.artifact.install.refs array
  # for each plugin you are loading.
  load_plugins: [k8saudit,json]

  # -- Watch config file and rules files for modification.
  # When a file is modified, Falco will propagate new config,
  # by reloading itself.
  watch_config_files: true

  # -- If true, the times displayed in log messages and output messages
  # will be in ISO 8601. By default, times are displayed in the local
  # time zone, as governed by /etc/localtime.
  time_format_iso_8601: false

  # -- If "true", print falco alert messages and rules file
  # loading/validation results as json, which allows for easier
  # consumption by downstream programs. Default is "false".
  json_output: true

  # -- When using json output, whether or not to include the "output" property
  # itself (e.g. "File below a known binary directory opened for writing
  # (user=root ....") in the json output.
  json_include_output_property: true

  # -- When using json output, whether or not to include the "tags" property
  # itself in the json output. If set to true, outputs caused by rules
  # with no tags will have a "tags" field set to an empty array. If set to
  # false, the "tags" field will not be included in the json output at all.
  json_include_tags_property: true

  # -- Send information logs to stderr. Note these are *not* security
  # notification logs! These are just Falco lifecycle (and possibly error) logs.
  log_stderr: true
  # -- Send information logs to syslog. Note these are *not* security
  # notification logs! These are just Falco lifecycle (and possibly error) logs.
  log_syslog: true

  # -- Minimum log level to include in logs. Note: these levels are
  # separate from the priority field of rules. This refers only to the
  # log level of falco's internal logging. Can be one of "emergency",
  # "alert", "critical", "error", "warning", "notice", "info", "debug".
  log_level: debug

  # Falco is capable of managing the logs coming from libs. If enabled,
  # the libs logger send its log records the same outputs supported by
  # Falco (stderr and syslog). Disabled by default.
  libs_logger:
    # -- Enable the libs logger.
    enabled: false
    # -- Minimum log severity to include in the libs logs. Note: this value is
    # separate from the log level of the Falco logger and does not affect it.
    # Can be one of "fatal", "critical", "error", "warning", "notice",
    # "info", "debug", "trace".
    severity: debug

  # -- Minimum rule priority level to load and run. All rules having a
  # priority more severe than this level will be loaded/run.  Can be one
  # of "emergency", "alert", "critical", "error", "warning", "notice",
  # "informational", "debug".
  priority: debug

  # -- Whether or not output to any of the output channels below is
  # buffered. Defaults to false
  buffered_outputs: false

  # Falco uses a shared buffer between the kernel and userspace to pass
  # system call information. When Falco detects that this buffer is
  # full and system calls have been dropped, it can take one or more of
  # the following actions:
  #   - ignore: do nothing (default when list of actions is empty)
  #   - log: log a DEBUG message noting that the buffer was full
  #   - alert: emit a Falco alert noting that the buffer was full
  #   - exit: exit Falco with a non-zero rc
  #
  # Notice it is not possible to ignore and log/alert messages at the same time.
  #
  # The rate at which log/alert messages are emitted is governed by a
  # token bucket. The rate corresponds to one message every 30 seconds
  # with a burst of one message (by default).
  #
  # The messages are emitted when the percentage of dropped system calls
  # with respect the number of events in the last second
  # is greater than the given threshold (a double in the range [0, 1]).
  #
  # For debugging/testing it is possible to simulate the drops using
  # the `simulate_drops: true`. In this case the threshold does not apply.

  syscall_event_drops:
    # -- The messages are emitted when the percentage of dropped system calls
    # with respect the number of events in the last second
    # is greater than the given threshold (a double in the range [0, 1]).
    threshold: .1
    # -- Actions to be taken when system calls were dropped from the circular buffer.
    actions:
      - log
      - alert
    # -- Rate at which log/alert messages are emitted.
    rate: .03333
    # -- Max burst of messages emitted.
    max_burst: 1
    # -- Flag to enable drops for debug purposes.
    simulate_drops: false

  # Falco uses a shared buffer between the kernel and userspace to receive
  # the events (eg., system call information) in userspace.
  #
  # Anyways, the underlying libraries can also timeout for various reasons.
  # For example, there could have been issues while reading an event.
  # Or the particular event needs to be skipped.
  # Normally, it's very unlikely that Falco does not receive events consecutively.
  #
  # Falco is able to detect such uncommon situation.
  #
  # Here you can configure the maximum number of consecutive timeouts without an event
  # after which you want Falco to alert.
  # By default this value is set to 1000 consecutive timeouts without an event at all.
  # How this value maps to a time interval depends on the CPU frequency.

  syscall_event_timeouts:
    # -- Maximum number of consecutive timeouts without an event
    # after which you want Falco to alert.
    max_consecutives: 1000

  # --- [Description]
  #
  # This is an index that controls the dimension of the syscall buffers.
  # The syscall buffer is the shared space between Falco and its drivers where all the syscall events
  # are stored.
  # Falco uses a syscall buffer for every online CPU, and all these buffers share the same dimension.
  # So this parameter allows you to control the size of all the buffers!
  #
  # --- [Usage]
  #
  # You can choose between different indexes: from `1` to `10` (`0` is reserved for future uses).
  # Every index corresponds to a dimension in bytes:
  #
  # [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB]
  #   ^    ^     ^     ^     ^     ^      ^      ^       ^       ^       ^
  #   |    |     |     |     |     |      |      |       |       |       |
  #   0    1     2     3     4     5      6      7       8       9       10
  #
  # As you can see the `0` index is reserved, while the index `1` corresponds to
  # `1 MB` and so on.
  #
  # These dimensions in bytes derive from the fact that the buffer size must be:
  # (1) a power of 2.
  # (2) a multiple of your system_page_dimension.
  # (3) greater than `2 * (system_page_dimension)`.
  #
  # According to these constraints is possible that sometimes you cannot use all the indexes, let's consider an
  # example to better understand it:
  # If you have a `page_size` of 1 MB the first available buffer size is 4 MB because 2 MB is exactly
  # `2 * (system_page_size)` -> `2 * 1 MB`, but this is not enough we need more than `2 * (system_page_size)`!
  # So from this example is clear that if you have a page size of 1 MB the first index that you can use is `3`.
  #
  # Please note: this is a very extreme case just to let you understand the mechanism, usually the page size is something
  # like 4 KB so you have no problem at all and you can use all the indexes (from `1` to `10`).
  #
  # To check your system page size use the Falco `--page-size` command line option. The output on a system with a page
  # size of 4096 Bytes (4 KB) should be the following:
  #
  # "Your system page size is: 4096 bytes."
  #
  # --- [Suggestions]
  #
  # Before the introduction of this param the buffer size was fixed to 8 MB (so index `4`, as you can see
  # in the default value below).
  # You can increase the buffer size when you face syscall drops. A size of 16 MB (so index `5`) can reduce
  # syscall drops in production-heavy systems without noticeable impact. Very large buffers however could
  # slow down the entire machine.
  # On the other side you can try to reduce the buffer size to speed up the system, but this could
  # increase the number of syscall drops!
  # As a final remark consider that the buffer size is mapped twice in the process' virtual memory so a buffer of 8 MB
  # will result in a 16 MB area in the process virtual memory.
  # Please pay attention when you use this parameter and change it only if the default size doesn't fit your use case.
  # -- This is an index that controls the dimension of the syscall buffers.
  syscall_buf_size_preset: 5

  ############## [EXPERIMENTAL] Modern BPF probe specific ##############
  # Please note: these configs regard only the modern BPF probe. They
  # are experimental so they could change over releases.
  #
  # `cpus_for_each_syscall_buffer`
  #
  # --- [Description]
  #
  # This is an index that controls how many CPUs you want to assign to a single
  # syscall buffer (ring buffer). By default, every syscall buffer is associated to
  # 2 CPUs, so the mapping is 1:2. The modern BPF probe allows you to choose different
  # mappings, for example, 1:1 would mean a syscall buffer for each CPU.
  #
  # --- [Usage]
  #
  # You can choose between different indexes: from `0` to `MAX_NUMBER_ONLINE_CPUs`.
  # `0` is a special value and it means a single syscall buffer shared between all
  # your online CPUs. `0` has the same effect as `MAX_NUMBER_ONLINE_CPUs`, the rationale
  # is that `0` allows you to create a single buffer without knowing the number of online
  # CPUs on your system.
  # Let's consider an example to better understand it:
  #
  # Consider a system with 7 online CPUs:
  #
  #          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
  #
  # - `1` means a syscall buffer for each CPU so 7 buffers
  #
  #          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
  #                   |     |  |        |  |  |  |
  #       BUFFERs     0     1  2        3  4  5  6
  #
  # - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers
  #
  #          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
  #                   |     |  |        |  |  |  |
  #       BUFFERs     0     0  1        1  2  2  3
  #
  # Please note that we need 4 buffers, 3 buffers are associated with CPU pairs, the last
  # one is mapped with just 1 CPU since we have an odd number of CPUs.
  #
  # - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all CPUs, so 1 buffer
  #
  #          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
  #                   |     |  |        |  |  |  |
  #       BUFFERs     0     0  0        0  0  0  0
  #
  # Moreover you can combine this param with `syscall_buf_size_preset`
  # index, for example, you could create a huge single syscall buffer
  # shared between all your online CPUs of 512 MB (so `syscall_buf_size_preset=10`).
  #
  # --- [Suggestions]
  #
  # We chose index `2` (so one syscall buffer for each CPU pair) as default because the modern bpf probe
  # follows a different memory allocation strategy with respect to the other 2 drivers (bpf and kernel module).
  # By the way, you are free to find the preferred configuration for your system.
  # Considering a fixed `syscall_buf_size_preset` and so a fixed buffer dimension:
  # - a lower number of buffers can speed up your system (lower memory footprint)
  # - a too lower number of buffers could increase contention in the kernel causing an
  #   overall slowdown of the system.
  # If you don't have huge events throughputs and you are not experimenting with tons of drops
  # you can try to reduce the number of buffers to have a lower memory footprint

  modern_bpf:
    # -- [MODERN PROBE ONLY] This is an index that controls how many CPUs you want to assign to a single syscall buffer.
    cpus_for_each_syscall_buffer: 2
  ############## [EXPERIMENTAL] Modern BPF probe specific ##############

  # Falco continuously monitors outputs performance. When an output channel does not allow
  # to deliver an alert within a given deadline, an error is reported indicating
  # which output is blocking notifications.
  # The timeout error will be reported to the log according to the above log_* settings.
  # Note that the notification will not be discarded from the output queue; thus,
  # output channels may indefinitely remain blocked.
  # An output timeout error indeed indicate a misconfiguration issue or I/O problems
  # that cannot be recovered by Falco and should be fixed by the user.
  #
  # The "output_timeout" value specifies the duration in milliseconds to wait before
  # considering the deadline exceed.
  #
  # With a 2000ms default, the notification consumer can block the Falco output
  # for up to 2 seconds without reaching the timeout.
  # -- Duration in milliseconds to wait before considering the output timeout deadline exceed.
  output_timeout: 2000

  # A throttling mechanism implemented as a token bucket limits the
  # rate of Falco notifications. One rate limiter is assigned to each event
  # source, so that alerts coming from one can't influence the throttling
  # mechanism of the others. This is controlled by the following options:
  #  - rate: the number of tokens (i.e. right to send a notification)
  #    gained per second. When 0, the throttling mechanism is disabled.
  #    Defaults to 0.
  #  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
  #
  # With these defaults, the throttling mechanism is disabled.
  # For example, by setting rate to 1 Falco could send up to 1000 notifications
  # after an initial quiet period, and then up to 1 notification per second
  # afterward. It would gain the full burst back after 1000 seconds of
  # no activity.

  outputs:
    # -- Number of tokens gained per second.
    rate: 1
    # -- Maximum number of tokens outstanding.
    max_burst: 1000

  # Where security notifications should go.
  # Multiple outputs can be enabled.

  syslog_output:
    # -- Enable syslog output for security notifications.
    enabled: true

  # If keep_alive is set to true, the file will be opened once and
  # continuously written to, with each output message on its own
  # line. If keep_alive is set to false, the file will be re-opened
  # for each output message.
  #
  # Also, the file will be closed and reopened if falco is signaled with
  # SIGUSR1.

  file_output:
    # -- Enable file output for security notifications.
    enabled: false
    # -- Open file once or every time a new notification arrives.
    keep_alive: false
    # -- The filename for logging notifications.
    filename: ./events.txt

  stdout_output:
    # -- Enable stdout output for security notifications.
    enabled: true

  # Falco contains an embedded webserver that exposes a healthy endpoint that can be used to check if Falco is up and running.
  # By default the endpoint is /healthz
  #
  # The ssl_certificate is a combination SSL Certificate and corresponding
  # key contained in a single file. You can generate a key/cert as follows:
  #
  # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
  # $ cat certificate.pem key.pem > falco.pem
  # $ sudo cp falco.pem /etc/falco/falco.pem
  webserver:
    # -- Enable Falco embedded webserver.
    enabled: true
    # -- Number of threads depending on the number of online cores.
    threadiness: 0
    # -- Port where Falco embedded webserver listen to connections.
    listen_port: 8765
    # -- Endpoint where Falco exposes the health status.
    k8s_healthz_endpoint: /healthz
    # -- Enable SSL on Falco embedded webserver.
    ssl_enabled: false
    # -- Certificate bundle path for the Falco embedded webserver.
    ssl_certificate: /etc/falco/falco.pem

  # Possible additional things you might want to do with program output:
  #   - send to a slack webhook:
  #         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
  #   - logging (alternate method than syslog):
  #         program: logger -t falco-test
  #   - send over a network connection:
  #         program: nc host.example.com 80

  # If keep_alive is set to true, the program will be started once and
  # continuously written to, with each output message on its own
  # line. If keep_alive is set to false, the program will be re-spawned
  # for each output message.
  #
  # Also, the program will be closed and reopened if falco is signaled with
  # SIGUSR1.
  program_output:
    # -- Enable program output for security notifications.
    enabled: false
    # -- Start the program once or re-spawn when a notification arrives.
    keep_alive: false
    # -- Command to execute for program output.
    program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"

  http_output:
    # -- Enable http output for security notifications.
    enabled: false
    # -- When set, this will override an auto-generated URL which matches the falcosidekick Service.
    # -- When including Falco inside a parent helm chart, you must set this since the auto-generated URL won't match (#280).
    url: ""
    user_agent: "falcosecurity/falco"

  # Falco supports running a gRPC server with two main binding types
  # 1. Over the network with mandatory mutual TLS authentication (mTLS)
  # 2. Over a local unix socket with no authentication
  # By default, the gRPC server is disabled, with no enabled services (see grpc_output)
  # please comment/uncomment and change accordingly the options below to configure it.
  # Important note: if Falco has any troubles creating the gRPC server
  # this information will be logged, however the main Falco daemon will not be stopped.
  # gRPC server over network with (mandatory) mutual TLS configuration.
  # This gRPC server is secure by default so you need to generate certificates and update their paths here.
  # By default the gRPC server is off.
  # You can configure the address to bind and expose it.
  # By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
  # grpc:
  #   enabled: true
  #   bind_address: "0.0.0.0:5060"
  #   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
  #   threadiness: 0
  #   private_key: "/etc/falco/certs/server.key"
  #   cert_chain: "/etc/falco/certs/server.crt"
  #   root_certs: "/etc/falco/certs/ca.crt"

  # -- gRPC server using an unix socket
  grpc:
    # -- Enable the Falco gRPC server.
    enabled: false
    # -- Bind address for the grpc server.
    bind_address: "unix:///run/falco/falco.sock"
    # -- Number of threads (and context) the gRPC server will use, 0 by default, which means "auto".
    threadiness: 0

  # gRPC output service.
  # By default it is off.
  # By enabling this all the output events will be kept in memory until you read them with a gRPC client.
  # Make sure to have a consumer for them or leave this disabled.
  grpc_output:
    # -- Enable the gRPC output and events will be kept in memory until you read them with a gRPC client.
    enabled: false

  # Container orchestrator metadata fetching params
  metadata_download:
    # -- Max allowed response size (in Mb) when fetching metadata from Kubernetes.
    max_mb: 100
    # -- Sleep time (in μs) for each download chunck when fetching metadata from Kubernetes.
    chunk_wait_us: 1000
    # -- Watch frequency (in seconds) when fetching metadata from Kubernetes.
    watch_freq_sec: 1

[vinylen]

We could workaround this issue temporarily by pinning the k8saudit-rules to version 0.5.0:

artifact:
  install:
    refs: [falco-rules:0, k8saudit-rules:0.5.0]
  follow:
    refs: [falco-rules:0, k8saudit-rules:0.5.0]

[alacuku]

Hi @vinylen, we released version 0.5.3 of k8saudit-rules that fixes the mismatching plugin version. For people with this problem, a restart of the Falco pods should be enough to pull the latest k8saudit-rules.

Sorry for the inconvenience and thanks for the workaround!

[vinylen]

0.5.3 looks good, thank you for the quick fix!

[Mohsen51]

I got the same issue last thursday my falco pods were down for few hours on my clusters between the release of the versions 0.5.2 and 0.5.3. We first pinned the version like @vinylen did, but unpinned once you released the patch 0.5.3. Thank you for the fix !