From a138caf3a836f61c8482dfdbc59f0e90eca2a23a Mon Sep 17 00:00:00 2001 From: Taylor Bot Date: Wed, 5 Feb 2025 16:40:38 +0100 Subject: [PATCH] Automated update from upstream (#290) * Update falco chart version to v4.19.0 * Automated update from upstream * Update falco tag * Use `falco` as image again * Update changelog * Add renovate regex --------- Co-authored-by: Franco --- CHANGELOG.md | 4 + helm/falco/Chart.lock | 13 +- helm/falco/Chart.yaml | 10 +- helm/falco/charts/falco-exporter/CHANGELOG.md | 8 + helm/falco/charts/falco-exporter/Chart.yaml | 2 +- helm/falco/charts/falco-exporter/README.md | 7 +- .../templates/prometheusrule.yaml | 10 +- helm/falco/charts/falco-exporter/values.yaml | 5 + helm/falco/charts/falco/CHANGELOG.md | 176 +- helm/falco/charts/falco/Chart.yaml | 6 +- helm/falco/charts/falco/README.gotmpl | 29 +- helm/falco/charts/falco/README.md | 77 +- .../falco/dashboards/falco-dashboard.json | 2631 +++++++++++++++++ .../falco/charts/falco/templates/_helpers.tpl | 32 +- .../charts/falco/templates/configmap.yaml | 1 + .../templates/falco-dashboard-grafana.yaml | 22 + .../charts/falco/templates/pod-template.tpl | 54 +- .../falco/charts/falco/templates/service.yaml | 7 + .../falco/templates/serviceMonitor.yaml | 3 + .../charts/falco/tests/unit/chartInfo.go | 34 + .../containerEnginesConfiguration_test.go | 230 ++ .../falco/tests/unit/driverLoader_test.go | 73 + .../tests/unit/grafanaDashboards_test.go | 144 + .../unit/k8smetacollectorDependency_test.go | 89 +- .../falco/tests/unit/metricsConfig_test.go | 51 +- .../tests/unit/serviceMonitorTemplate_test.go | 68 +- .../falco/tests/unit/serviceTemplate_test.go | 178 ++ helm/falco/charts/falco/values-k8saudit.yaml | 7 +- .../charts/falco/values-syscall-k8saudit.yaml | 6 +- helm/falco/charts/falco/values.yaml | 201 +- helm/falco/charts/falcosidekick/CHANGELOG.md | 66 +- helm/falco/charts/falcosidekick/Chart.yaml | 4 +- helm/falco/charts/falcosidekick/README.md | 63 +- .../falcosidekick-grafana-dashboard.json | 1696 +++++++++++ .../falcosidekick-loki-dashboard.json | 640 ++++ .../configmap-grafana-dashboard.yaml | 28 + .../falcosidekick/templates/configmap-ui.yaml | 46 + .../templates/deployment-ui.yaml | 47 +- .../falcosidekick-loki-dashboard-grafana.yaml | 22 + .../templates/prometheusrule.yaml | 12 +- .../falcosidekick/templates/secrets-ui.yaml | 10 +- .../falcosidekick/templates/secrets.yaml | 75 +- .../falcosidekick/templates/service-ui.yaml | 6 +- .../falcosidekick/templates/service.yaml | 1 - helm/falco/charts/falcosidekick/values.yaml | 114 +- .../charts/k8s-metacollector/CHANGELOG.md | 12 +- .../falco/charts/k8s-metacollector/Chart.yaml | 2 +- helm/falco/charts/k8s-metacollector/README.md | 3 +- .../k8s-metacollector-dashboard.json | 566 ++-- .../templates/deployment.yaml | 3 + .../charts/k8s-metacollector/values.yaml | 4 +- helm/falco/values.yaml | 4 +- vendir.lock.yml | 6 +- vendir.yml | 2 +- 54 files changed, 7079 insertions(+), 531 deletions(-) create mode 100644 helm/falco/charts/falco/dashboards/falco-dashboard.json create mode 100644 helm/falco/charts/falco/templates/falco-dashboard-grafana.yaml create mode 100644 helm/falco/charts/falco/tests/unit/chartInfo.go create mode 100644 helm/falco/charts/falco/tests/unit/containerEnginesConfiguration_test.go create mode 100644 helm/falco/charts/falco/tests/unit/grafanaDashboards_test.go create mode 100644 helm/falco/charts/falco/tests/unit/serviceTemplate_test.go create mode 100644 helm/falco/charts/falcosidekick/dashboards/falcosidekick-grafana-dashboard.json create mode 100644 helm/falco/charts/falcosidekick/dashboards/falcosidekick-loki-dashboard.json create mode 100644 helm/falco/charts/falcosidekick/templates/configmap-grafana-dashboard.yaml create mode 100644 helm/falco/charts/falcosidekick/templates/configmap-ui.yaml create mode 100644 helm/falco/charts/falcosidekick/templates/falcosidekick-loki-dashboard-grafana.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6bf2a863..132a80fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Update `Falco` to upstream version `0.40.0` + ## [0.9.1] - 2024-10-23 ### Changed diff --git a/helm/falco/Chart.lock b/helm/falco/Chart.lock index 12b3ede9..83404599 100644 --- a/helm/falco/Chart.lock +++ b/helm/falco/Chart.lock @@ -1,12 +1,15 @@ dependencies: - name: falco repository: "" - version: 4.6.1 + version: 4.19.0 - name: falco-exporter repository: "" - version: 0.11.0 + version: 0.12.1 - name: falcosidekick repository: "" - version: 0.8.2 -digest: sha256:c3839c7fff0900ee484adea35efb0290893c46cc835ce75a946d26d352ead7f4 -generated: "2024-07-17T09:53:49.849810879Z" + version: 0.9.5 +- name: k8s-metacollector + repository: "" + version: 0.1.10 +digest: sha256:8842fd8f498047454bf2077ca28a2e49beeba96736d4dcdd6b875f54e3a07958 +generated: "2025-02-04T20:48:26.183961037Z" diff --git a/helm/falco/Chart.yaml b/helm/falco/Chart.yaml index 394ffec0..372a64a9 100644 --- a/helm/falco/Chart.yaml +++ b/helm/falco/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.38.1 +appVersion: 0.40.0 annotations: application.giantswarm.io/team: "shield" config.giantswarm.io/version: 1.x.x @@ -7,16 +7,16 @@ annotations: dependencies: - name: falco condition: falco.enabled - version: 4.6.1 + version: 4.19.0 - name: falco-exporter condition: falco-exporter.enabled - version: 0.11.0 + version: 0.12.1 - name: falcosidekick condition: falcosidekick.enabled - version: 0.8.2 + version: 0.9.5 - name: k8s-metacollector condition: k8s-metacollector.enabled - version: 0.1.8 + version: 0.1.10 description: A Helm chart for falco engine: gotpl home: https://github.com/giantswarm/falco-app diff --git a/helm/falco/charts/falco-exporter/CHANGELOG.md b/helm/falco/charts/falco-exporter/CHANGELOG.md index c36efa4f..f88ebc00 100644 --- a/helm/falco/charts/falco-exporter/CHANGELOG.md +++ b/helm/falco/charts/falco-exporter/CHANGELOG.md @@ -3,6 +3,14 @@ This file documents all notable changes to `falco-exporter` Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v0.12.1 + +* fix bug in 'for' for falco exporter prometheus rules + +## v0.12.0 + +* make 'for' configurable for falco exporter prometheus rules + ## v0.11.0 * updated grafana dashboard diff --git a/helm/falco/charts/falco-exporter/Chart.yaml b/helm/falco/charts/falco-exporter/Chart.yaml index 037ed8ca..0f085403 100644 --- a/helm/falco/charts/falco-exporter/Chart.yaml +++ b/helm/falco/charts/falco-exporter/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.11.0 +version: 0.12.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/helm/falco/charts/falco-exporter/README.md b/helm/falco/charts/falco-exporter/README.md index ca95dfc6..e4761c90 100644 --- a/helm/falco/charts/falco-exporter/README.md +++ b/helm/falco/charts/falco-exporter/README.md @@ -70,7 +70,7 @@ helm install falco-exporter \ ## Configuration -The following table lists the main configurable parameters of the falco-exporter chart v0.11.0 and their default values. Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters. +The following table lists the main configurable parameters of the falco-exporter chart v0.12.1 and their default values. Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters. ## Values @@ -116,18 +116,23 @@ The following table lists the main configurable parameters of the falco-exporter | priorityClassName | string | `""` | priorityClassName specifies the name of the PriorityClass for the pods. | | prometheusRules.alerts.additionalAlerts | object | `{}` | | | prometheusRules.alerts.alert.enabled | bool | `true` | | +| prometheusRules.alerts.alert.for | string | `"5m"` | | | prometheusRules.alerts.alert.rate_interval | string | `"5m"` | | | prometheusRules.alerts.alert.threshold | int | `0` | | | prometheusRules.alerts.critical.enabled | bool | `true` | | +| prometheusRules.alerts.critical.for | string | `"15m"` | | | prometheusRules.alerts.critical.rate_interval | string | `"5m"` | | | prometheusRules.alerts.critical.threshold | int | `0` | | | prometheusRules.alerts.emergency.enabled | bool | `true` | | +| prometheusRules.alerts.emergency.for | string | `"1m"` | | | prometheusRules.alerts.emergency.rate_interval | string | `"1m"` | | | prometheusRules.alerts.emergency.threshold | int | `0` | | | prometheusRules.alerts.error.enabled | bool | `true` | | +| prometheusRules.alerts.error.for | string | `"15m"` | | | prometheusRules.alerts.error.rate_interval | string | `"5m"` | | | prometheusRules.alerts.error.threshold | int | `0` | | | prometheusRules.alerts.warning.enabled | bool | `true` | | +| prometheusRules.alerts.warning.for | string | `"15m"` | | | prometheusRules.alerts.warning.rate_interval | string | `"5m"` | | | prometheusRules.alerts.warning.threshold | int | `0` | | | prometheusRules.enabled | bool | `false` | enabled specifies whether the prometheus rules should be deployed. | diff --git a/helm/falco/charts/falco-exporter/templates/prometheusrule.yaml b/helm/falco/charts/falco-exporter/templates/prometheusrule.yaml index d495d70f..c160e6f5 100644 --- a/helm/falco/charts/falco-exporter/templates/prometheusrule.yaml +++ b/helm/falco/charts/falco-exporter/templates/prometheusrule.yaml @@ -31,7 +31,7 @@ spec: summary: Falco is experiencing high rate of warning events description: A high rate of warning events are being detected by Falco expr: rate(falco_events{priority="4"}[{{ .Values.prometheusRules.alerts.warning.rate_interval }}]) > {{ .Values.prometheusRules.alerts.warning.threshold }} - for: 15m + for: {{ .Values.prometheusRules.alerts.warning.for }} labels: severity: warning {{- end }} @@ -41,7 +41,7 @@ spec: summary: Falco is experiencing high rate of error events description: A high rate of error events are being detected by Falco expr: rate(falco_events{priority="3"}[{{ .Values.prometheusRules.alerts.error.rate_interval }}]) > {{ .Values.prometheusRules.alerts.error.threshold }} - for: 15m + for: {{ .Values.prometheusRules.alerts.error.for }} labels: severity: warning {{- end }} @@ -51,7 +51,7 @@ spec: summary: Falco is experiencing high rate of critical events description: A high rate of critical events are being detected by Falco expr: rate(falco_events{priority="2"}[{{ .Values.prometheusRules.alerts.critical.rate_interval }}]) > {{ .Values.prometheusRules.alerts.critical.threshold }} - for: 15m + for: {{ .Values.prometheusRules.alerts.critical.for }} labels: severity: critical {{- end }} @@ -61,7 +61,7 @@ spec: summary: Falco is experiencing high rate of alert events description: A high rate of alert events are being detected by Falco expr: rate(falco_events{priority="1"}[{{ .Values.prometheusRules.alerts.alert.rate_interval }}]) > {{ .Values.prometheusRules.alerts.alert.threshold }} - for: 5m + for: {{ .Values.prometheusRules.alerts.alert.for }} labels: severity: critical {{- end }} @@ -71,7 +71,7 @@ spec: summary: Falco is experiencing high rate of emergency events description: A high rate of emergency events are being detected by Falco expr: rate(falco_events{priority="0"}[{{ .Values.prometheusRules.alerts.emergency.rate_interval }}]) > {{ .Values.prometheusRules.alerts.emergency.threshold }} - for: 1m + for: {{ .Values.prometheusRules.alerts.emergency.for }} labels: severity: critical {{- end }} diff --git a/helm/falco/charts/falco-exporter/values.yaml b/helm/falco/charts/falco-exporter/values.yaml index 2015a2af..3c6d12fb 100644 --- a/helm/falco/charts/falco-exporter/values.yaml +++ b/helm/falco/charts/falco-exporter/values.yaml @@ -198,20 +198,25 @@ prometheusRules: enabled: true rate_interval: "5m" threshold: 0 + for: "15m" error: enabled: true rate_interval: "5m" threshold: 0 + for: "15m" critical: enabled: true rate_interval: "5m" threshold: 0 + for: "15m" alert: enabled: true rate_interval: "5m" threshold: 0 + for: "5m" emergency: enabled: true rate_interval: "1m" threshold: 0 + for: "1m" additionalAlerts: {} diff --git a/helm/falco/charts/falco/CHANGELOG.md b/helm/falco/charts/falco/CHANGELOG.md index d12d0bb7..93a59447 100644 --- a/helm/falco/charts/falco/CHANGELOG.md +++ b/helm/falco/charts/falco/CHANGELOG.md @@ -3,6 +3,180 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.19.0 + +* fix falco version to 0.40.0 + +## v4.18.0 + +* update the chart for falco 0.40; +* remove deprecated cli flag `--cri` and use instead the configuration file. More info here: https://github.com/falcosecurity/falco/pull/3329 +* use new falco images, for more info see: https://github.com/falcosecurity/falco/issues/3165 + +## v4.17.2 + +* update(falco): add ports definition in falco container spec + +## v4.17.1 + +* docs(falco): update README.md to reflect latest driver configuration and correct broken links + +## v4.17.0 + +* update(falco): bump k8saudit version to 0.11 + +## v4.16.2 + +* fix(falco): set dnsPolicy to ClusterFirstWithHostNet when gvisor driver is enabled to prevent DNS lookup failures for cluster-internal services + +## v4.16.1 + +* fix(falco/serviceMonitor): set service label selector +* new(falco/tests): add unit tests for serviceMonitor label selector + +## v4.16.0 + +* bump falcosidekick dependency to v0.9.* to match with future versions + +## v4.15.1 + +* fix: change the url for the concurrent queue classes docs + +## v4.15.0 + +* update(falco): bump falco version to 0.39.2 and falcoctl to 0.10.1 + +## v4.14.2 + +* fix(falco/readme): use `rules_files` instead of deprecated `rules_file` in README config snippet + +## v4.14.1 + +* fix(falco/dashboard): make pod variable independent of triggered rules. CPU and memory are now visible for each + pod, even when no rules have been triggered for that falco instance. + +## v4.14.0 + +* Bump k8smeta plugin to 0.2.1, see: https://github.com/falcosecurity/plugins/releases/tag/plugins%2Fk8smeta%2Fv0.2.1 + +## v4.13.0 + +* Expose new config entries for k8smeta plugin:`verbosity` and `hostProc`. + +## v4.12.0 + +* Set apparmor to `unconfined` (disabled) when `leastPrivileged: true` and (`kind: modern_ebpf` or `kind: ebpf`) + +## v4.11.2 + +* only prints env key if there are env values to be passed on `falcoctl.initContainer` and `falcoctl.sidecar` + +## v4.11.1 + +* add details for the scap drops buffer charts with the dir and drops labels + +## v4.11.0 + +* new(falco): add grafana dashboard for falco + +## v4.10.0 + +* Bump Falco to v0.39.1 + +## v4.9.1 + +* feat(falco): add labels and annotations to the metrics service + +## v4.9.0 + +* Bump Falco to v0.39.0 +* update(falco): add new configuration entries for Falco + This commit adds new config keys introduces in Falco 0.39.0. + Furthermore, updates the unit tests for the latest changes + in the values.yaml. +* cleanup(falco): remove deprecated falco configuration + This commit removes the "output" config key that has + been deprecated in falco. +* update(falco): mount proc filesystem for plugins + The following PR in libs https://github.com/falcosecurity/libs/pull/1969 + introduces a new platform for plugins that requires access to the + proc filesystem. +* fix(falco): update broken link pointing to Falco docs + After the changes made by the following PR to the Falco docs https://github.com/falcosecurity/falco-website/pull/1362 + this commit updates a broken link. + +## v4.8.3 + +* The init container, when driver.kind=auto, automatically generates + a new Falco configuration file and selects the appropriate engine + kind based on the environment where Falco is deployed. + + With this commit, along with falcoctl PR #630, the Helm charts now + support different driver kinds for Falco instances based on the + specific node they are running on. When driver.kind=auto is set, + each Falco instance dynamically selects the most suitable + driver (e.g., ebpf, kmod, modern_ebpf) for the node. + +-------------------------------------------------------+ + | Kubernetes Cluster | + | | + | +-------------------+ +-------------------+ | + | | Node 1 | | Node 2 | | + | | | | | | + | | Falco (ebpf) | | Falco (kmod) | | + | +-------------------+ +-------------------+ | + | | + | +-------------------+ | + | | Node 3 | | + | | | | + | | Falco (modern_ebpf)| | + | +-------------------+ | + +-------------------------------------------------------+ + +## v4.8.2 + +* fix(falco): correctly mount host filesystems when driver.kind is auto + + When falco runs with kmod/module driver it needs special filesystems + to be mounted from the host such /dev and /sys/module/falco. + This commit ensures that we mount them in the falco container. + + Note that, the /sys/module/falco is now mounted as /sys/module since + we do not know which kind of driver will be used. The falco folder + exists under /sys/module only when the kernel module is loaded, + hence it's not possible to use the /sys/module/falco hostpath when driver.kind + is set to auto. + +## v4.8.1 + +* fix(falcosidekick): add support for custom service type for webui redis + +## v4.8.0 + +* Upgrade Falco version to 0.38.2 + +## v4.7.2 + +* use rules_files key in the preset values files + +## v4.7.1 + +* fix(falco/config): use rules_files instead of deprecated key rules_file + +## v4.7.0 + +* bump k8smeta plugin to version 0.2.0. The new version, resolves a bug that prevented the plugin + from populating the k8smeta fields. For more info see: + * https://github.com/falcosecurity/plugins/issues/514 + * https://github.com/falcosecurity/plugins/pull/517 + +## v4.6.3 + +* fix(falco): mount client-certs-volume only if certs.existingClientSecret is defined + +## v4.6.2 + +* bump falcosidekick dependency to v0.8.* to match with future versions + ## v4.6.1 * bump falcosidekick dependency to v0.8.2 (fixes bug when using externalRedis in UI) @@ -172,7 +346,7 @@ The new chart introduces some breaking changes. For folks upgrading Falco please ## v3.3.0 * Upgrade Falco to 0.35.1. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.1 * Upgrade falcoctl to 0.5.1. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.1 -* Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 +* Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/setup/container/#docker-least-privileged-modern-ebpf ## v3.2.1 * Set falco.http_output.url to empty string in values.yaml file diff --git a/helm/falco/charts/falco/Chart.yaml b/helm/falco/charts/falco/Chart.yaml index 1bced3db..1bbf64fc 100644 --- a/helm/falco/charts/falco/Chart.yaml +++ b/helm/falco/charts/falco/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: falco -version: 4.6.1 -appVersion: "0.38.1" +version: 4.19.0 +appVersion: "0.40.0" description: Falco keywords: - monitoring @@ -19,7 +19,7 @@ maintainers: email: cncf-falco-dev@lists.cncf.io dependencies: - name: falcosidekick - version: "0.8.2" + version: "0.9.*" condition: falcosidekick.enabled repository: https://falcosecurity.github.io/charts - name: k8s-metacollector diff --git a/helm/falco/charts/falco/README.gotmpl b/helm/falco/charts/falco/README.gotmpl index a50c32d0..02f10d9c 100644 --- a/helm/falco/charts/falco/README.gotmpl +++ b/helm/falco/charts/falco/README.gotmpl @@ -47,17 +47,18 @@ The cluster in our example has three nodes, one *control-plane* node and two *wo ### Falco, Event Sources and Kubernetes Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events). -Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources). +Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/learning-environments/#falco-with-multiple-sources). #### About Drivers Falco needs a **driver** to analyze the system workload and pass security events to userspace. The supported drivers are: -* [Kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) -* [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) -* [Modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe) +* [Modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) +* [Kernel module](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) +* [Legacy eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) + +The driver must be loaded on the node where Falco is running. Falco now prefers the **Modern eBPF probe** by default. When using **falcoctl** with `driver.kind=auto`, it will automatically choose the best driver for your system. Specifically, it first attempts to use the Modern eBPF probe (which is shipped directly within the Falco binary) and will fall back to the _kernel module_ or the _original eBPF probe_ if the necessary BPF features are not available. -The driver should be installed on the node where Falco is running. The _kernel module_ (default option) and the _eBPF probe_ are installed on the node through an *init container* (i.e. `falco-driver-loader`) that tries download a prebuilt driver or build it on-the-fly as a fallback. The _Modern eBPF probe_ doesn't require an init container because it is shipped directly into the Falco binary. However, the _Modern eBPF probe_ requires [recent BPF features](https://falco.org/docs/event-sources/kernel/#modern-ebpf-probe). ##### Pre-built drivers @@ -146,20 +147,24 @@ After the clarification of the different [**event sources**](#falco-event-source The chart deploys Falco using a `daemonset` or a `deployment` depending on the **event sources**. #### Daemonset -When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. By using a `daemonset`, k8s assures that a Falco instance will be running in each of our nodes even when we add new nodes to our cluster. So it is the perfect match when we need to monitor all the nodes in our cluster. +When using the [drivers](#about-the-driver), Falco is typically deployed as a `DaemonSet`. By using a DaemonSet, Kubernetes ensures that a Falco instance is running on each node even as new nodes are added to your cluster. This makes it a perfect fit for monitoring across the entire cluster. + +By default, with `driver.kind=auto`, the correct driver will will be automatically selected for each node. This is accomplished through the **driver loader** (implemented by `falcoctl`), which generates a new Falco configuration file and picks the right engine driver (Modern eBPF, kmod, or legacy eBPF) based on the underlying environment. If you prefer to manually force a specific driver, see the other available options below. **Kernel module** -To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart: + +To run Falco with the [eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) you just need to set `driver.kind=kmod` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco + --set driver.kind=kmod ``` -**eBPF probe** +**Legacy eBPF probe** -To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: +To run Falco with the [eBPF probe](http://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ @@ -177,9 +182,9 @@ helm install falco falcosecurity/falco \ -f "path-to-custom-values.yaml-file" ``` -**modern eBPF probe** +**Modern eBPF probe** -To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: +To run Falco with the [modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ @@ -385,7 +390,7 @@ services: protocol: TCP falco: - rules_file: + rules_files: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins: diff --git a/helm/falco/charts/falco/README.md b/helm/falco/charts/falco/README.md index 899f4ab0..971fde59 100644 --- a/helm/falco/charts/falco/README.md +++ b/helm/falco/charts/falco/README.md @@ -47,17 +47,17 @@ The cluster in our example has three nodes, one *control-plane* node and two *wo ### Falco, Event Sources and Kubernetes Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events). -Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources). +Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/learning-environments/#falco-with-multiple-sources). #### About Drivers Falco needs a **driver** to analyze the system workload and pass security events to userspace. The supported drivers are: -* [Kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) -* [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) -* [Modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe) +* [Modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) +* [Kernel module](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) +* [Legacy eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) -The driver should be installed on the node where Falco is running. The _kernel module_ (default option) and the _eBPF probe_ are installed on the node through an *init container* (i.e. `falco-driver-loader`) that tries download a prebuilt driver or build it on-the-fly as a fallback. The _Modern eBPF probe_ doesn't require an init container because it is shipped directly into the Falco binary. However, the _Modern eBPF probe_ requires [recent BPF features](https://falco.org/docs/event-sources/kernel/#modern-ebpf-probe). +The driver must be loaded on the node where Falco is running. Falco now prefers the **Modern eBPF probe** by default. When using **falcoctl** with `driver.kind=auto`, it will automatically choose the best driver for your system. Specifically, it first attempts to use the Modern eBPF probe (which is shipped directly within the Falco binary) and will fall back to the _kernel module_ or the _original eBPF probe_ if the necessary BPF features are not available. ##### Pre-built drivers @@ -146,20 +146,24 @@ After the clarification of the different [**event sources**](#falco-event-source The chart deploys Falco using a `daemonset` or a `deployment` depending on the **event sources**. #### Daemonset -When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. By using a `daemonset`, k8s assures that a Falco instance will be running in each of our nodes even when we add new nodes to our cluster. So it is the perfect match when we need to monitor all the nodes in our cluster. +When using the [drivers](#about-the-driver), Falco is typically deployed as a `DaemonSet`. By using a DaemonSet, Kubernetes ensures that a Falco instance is running on each node even as new nodes are added to your cluster. This makes it a perfect fit for monitoring across the entire cluster. + +By default, with `driver.kind=auto`, the correct driver will will be automatically selected for each node. This is accomplished through the **driver loader** (implemented by `falcoctl`), which generates a new Falco configuration file and picks the right engine driver (Modern eBPF, kmod, or legacy eBPF) based on the underlying environment. If you prefer to manually force a specific driver, see the other available options below. **Kernel module** -To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart: + +To run Falco with the [eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) you just need to set `driver.kind=kmod` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco + --set driver.kind=kmod ``` -**eBPF probe** +**Legacy eBPF probe** -To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: +To run Falco with the [eBPF probe](http://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ @@ -177,9 +181,9 @@ helm install falco falcosecurity/falco \ -f "path-to-custom-values.yaml-file" ``` -**modern eBPF probe** +**Modern eBPF probe** -To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: +To run Falco with the [modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ @@ -383,7 +387,7 @@ services: protocol: TCP falco: - rules_file: + rules_files: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins: @@ -581,7 +585,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.6.0 and their default values. See [values.yaml](./values.yaml) for full list. +The following table lists the main configurable parameters of the falco chart v4.19.0 and their default values. See [values.yaml](./values.yaml) for full list. ## Values @@ -602,11 +606,11 @@ The following table lists the main configurable parameters of the falco chart v4 | collectors.docker.enabled | bool | `true` | Enable Docker support. | | collectors.docker.socket | string | `"/var/run/docker.sock"` | The path of the Docker daemon socket. | | collectors.enabled | bool | `true` | Enable/disable all the metadata collectors. | -| collectors.kubernetes | object | `{"collectorHostname":"","collectorPort":"","enabled":false,"pluginRef":"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0"}` | kubernetes holds the configuration for the kubernetes collector. Starting from version 0.37.0 of Falco, the legacy kubernetes client has been removed. A new standalone component named k8s-metacollector and a Falco plugin have been developed to solve the issues that were present in the old implementation. More info here: https://github.com/falcosecurity/falco/issues/2973 | +| collectors.kubernetes | object | `{"collectorHostname":"","collectorPort":"","enabled":false,"hostProc":"/host","pluginRef":"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1","verbosity":"info"}` | kubernetes holds the configuration for the kubernetes collector. Starting from version 0.37.0 of Falco, the legacy kubernetes client has been removed. A new standalone component named k8s-metacollector and a Falco plugin have been developed to solve the issues that were present in the old implementation. More info here: https://github.com/falcosecurity/falco/issues/2973 | | collectors.kubernetes.collectorHostname | string | `""` | collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override it, make sure to set here the address of the k8s-metacollector. It is used by the k8smeta plugin to connect to the k8s-metacollector. | | collectors.kubernetes.collectorPort | string | `""` | collectorPort designates the port on which the k8s-metacollector gRPC service listens. If not specified the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000. It is used by the k8smeta plugin to connect to the k8s-metacollector. | | collectors.kubernetes.enabled | bool | `false` | enabled specifies whether the Kubernetes metadata should be collected using the k8smeta plugin and the k8s-metacollector component. It will deploy the k8s-metacollector external component that fetches Kubernetes metadata and pushes them to Falco instances. For more info see: https://github.com/falcosecurity/k8s-metacollector https://github.com/falcosecurity/charts/tree/master/charts/k8s-metacollector When this option is disabled, Falco falls back to the container annotations to grab the metadata. In such a case, only the ID, name, namespace, labels of the pod will be available. | -| collectors.kubernetes.pluginRef | string | `"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0"` | pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. | +| collectors.kubernetes.pluginRef | string | `"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1"` | pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. | | containerSecurityContext | object | `{}` | Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl" | | controller.annotations | object | `{}` | | | controller.daemonset.updateStrategy.type | string | `"RollingUpdate"` | Perform rolling updates by default in the DaemonSet agent ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ | @@ -618,7 +622,7 @@ The following table lists the main configurable parameters of the falco chart v4 | driver.ebpf.bufSizePreset | int | `4` | bufSizePreset determines the size of the shared space between Falco and its drivers. This shared space serves as a temporary storage for syscall events. | | driver.ebpf.dropFailedExit | bool | `false` | dropFailedExit if set true drops failed system call exit events before pushing them to userspace. | | driver.ebpf.hostNetwork | bool | `false` | Needed to enable eBPF JIT at runtime for performance reasons. Can be skipped if eBPF JIT is enabled from outside the container | -| driver.ebpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 | +| driver.ebpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe | | driver.ebpf.path | string | `"${HOME}/.falco/falco-bpf.o"` | path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init container deployed with the chart. | | driver.enabled | bool | `true` | Set it to false if you want to deploy Falco without the drivers. Always set it to false when using Falco with plugins. | | driver.gvisor | object | `{"runsc":{"config":"/run/containerd/runsc/config.toml","path":"/home/containerd/usr/local/sbin","root":"/run/containerd/runsc"}}` | Gvisor configuration. Based on your system you need to set the appropriate values. Please, remember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes. | @@ -642,13 +646,24 @@ The following table lists the main configurable parameters of the falco chart v4 | driver.modernEbpf.bufSizePreset | int | `4` | bufSizePreset determines the size of the shared space between Falco and its drivers. This shared space serves as a temporary storage for syscall events. | | driver.modernEbpf.cpusForEachBuffer | int | `2` | cpusForEachBuffer is the index that controls how many CPUs to assign to a single syscall buffer. | | driver.modernEbpf.dropFailedExit | bool | `false` | dropFailedExit if set true drops failed system call exit events before pushing them to userspace. | -| driver.modernEbpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 | +| driver.modernEbpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe | | extra.args | list | `[]` | Extra command-line arguments. | | extra.env | list | `[]` | Extra environment variables that will be pass onto Falco containers. | | extra.initContainers | list | `[]` | Additional initContainers for Falco pods. | +| falco.append_output | list | `[]` | | | falco.base_syscalls | object | `{"custom_set":[],"repair":false}` | - [Suggestions] NOTE: setting `base_syscalls.repair: true` automates the following suggestions for you. These suggestions are subject to change as Falco and its state engine evolve. For execve* events: Some Falco fields for an execve* syscall are retrieved from the associated `clone`, `clone3`, `fork`, `vfork` syscalls when spawning a new process. The `close` syscall is used to purge file descriptors from Falco's internal thread / process cache table and is necessary for rules relating to file descriptors (e.g. open, openat, openat2, socket, connect, accept, accept4 ... and many more) Consider enabling the following syscalls in `base_syscalls.custom_set` for process rules: [clone, clone3, fork, vfork, execve, execveat, close] For networking related events: While you can log `connect` or `accept*` syscalls without the socket syscall, the log will not contain the ip tuples. Additionally, for `listen` and `accept*` syscalls, the `bind` syscall is also necessary. We recommend the following as the minimum set for networking-related rules: [clone, clone3, fork, vfork, execve, execveat, close, socket, bind, getsockopt] Lastly, for tracking the correct `uid`, `gid` or `sid`, `pgid` of a process when the running process opens a file or makes a network connection, consider adding the following to the above recommended syscall sets: ... setresuid, setsid, setuid, setgid, setpgid, setresgid, setsid, capset, chdir, chroot, fchdir ... | | falco.buffered_outputs | bool | `false` | Enabling buffering for the output queue can offer performance optimization, efficient resource usage, and smoother data flow, resulting in a more reliable output mechanism. By default, buffering is disabled (false). | | falco.config_files[0] | string | `"/etc/falco/config.d"` | | +| falco.container_engines.bpm.enabled | bool | `false` | | +| falco.container_engines.cri.disable_async | bool | `false` | | +| falco.container_engines.cri.enabled | bool | `false` | | +| falco.container_engines.cri.sockets[0] | string | `"/run/containerd/containerd.sock"` | | +| falco.container_engines.cri.sockets[1] | string | `"/run/crio/crio.sock"` | | +| falco.container_engines.cri.sockets[2] | string | `"/run/k3s/containerd/containerd.sock"` | | +| falco.container_engines.docker.enabled | bool | `false` | | +| falco.container_engines.libvirt_lxc.enabled | bool | `false` | | +| falco.container_engines.lxc.enabled | bool | `false` | | +| falco.container_engines.podman.enabled | bool | `false` | | | falco.falco_libs.thread_table_size | int | `262144` | | | falco.file_output | object | `{"enabled":false,"filename":"./events.txt","keep_alive":false}` | When appending Falco alerts to a file, each new alert will be added to a new line. It's important to note that Falco does not perform log rotation for this file. If the `keep_alive` option is set to `true`, the file will be opened once and continuously written to, else the file will be reopened for each output message. Furthermore, the file will be closed and reopened if Falco receives the SIGUSR1 signal. | | falco.grpc | object | `{"bind_address":"unix:///run/falco/falco.sock","enabled":false,"threadiness":0}` | gRPC server using a local unix socket | @@ -665,6 +680,7 @@ The following table lists the main configurable parameters of the falco chart v4 | falco.http_output.insecure | bool | `false` | Tell Falco to not verify the remote server. | | falco.http_output.keep_alive | bool | `false` | keep_alive whether to keep alive the connection. | | falco.http_output.mtls | bool | `false` | Tell Falco to use mTLS | +| falco.json_include_message_property | bool | `false` | | | falco.json_include_output_property | bool | `true` | When using JSON output in Falco, you have the option to include the "output" property itself in the generated JSON output. The "output" property provides additional information about the purpose of the rule. To reduce the logging volume, it is recommended to turn it off if it's not necessary for your use case. | | falco.json_include_tags_property | bool | `true` | When using JSON output in Falco, you have the option to include the "tags" field of the rules in the generated JSON output. The "tags" field provides additional metadata associated with the rule. To reduce the logging volume, if the tags associated with the rule are not needed for your use case or can be added at a later stage, it is recommended to turn it off. | | falco.json_output | bool | `false` | When enabled, Falco will output alert messages and rules file loading/validation results in JSON format, making it easier for downstream programs to process and consume the data. By default, this option is disabled. | @@ -673,15 +689,14 @@ The following table lists the main configurable parameters of the falco chart v4 | falco.log_level | string | `"info"` | The `log_level` setting determines the minimum log level to include in Falco's logs related to the functioning of the software. This setting is separate from the `priority` field of rules and specifically controls the log level of Falco's operational logging. By specifying a log level, you can control the verbosity of Falco's operational logs. Only logs of a certain severity level or higher will be emitted. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug". | | falco.log_stderr | bool | `true` | Send information logs to stderr. Note these are *not* security notification logs! These are just Falco lifecycle (and possibly error) logs. | | falco.log_syslog | bool | `true` | Send information logs to syslog. Note these are *not* security notification logs! These are just Falco lifecycle (and possibly error) logs. | -| falco.metrics | object | `{"convert_memory_to_mb":true,"enabled":false,"include_empty_values":false,"interval":"1h","kernel_event_counters_enabled":true,"libbpf_stats_enabled":true,"output_rule":true,"resource_utilization_enabled":true,"rules_counters_enabled":true,"state_counters_enabled":true}` | - [Usage] `enabled`: Disabled by default. `interval`: The stats interval in Falco follows the time duration definitions used by Prometheus. https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations Time durations are specified as a number, followed immediately by one of the following units: ms - millisecond s - second m - minute h - hour d - day - assuming a day has always 24h w - week - assuming a week has always 7d y - year - assuming a year has always 365d Example of a valid time duration: 1h30m20s10ms A minimum interval of 100ms is enforced for metric collection. However, for production environments, we recommend selecting one of the following intervals for optimal monitoring: 15m 30m 1h 4h 6h `output_rule`: To enable seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. `output_file`: Append stats to a `jsonl` file. Use with caution in production as Falco does not automatically rotate the file. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `rules_counters_enabled`: Emit counts for each rule. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `state_counters_enabled`: Emit counters related to Falco's state engine, including added, removed threads or file descriptors (fds), and failed lookup, store, or retrieve actions in relation to Falco's underlying process cache table (threadtable). We also log the number of currently cached containers if applicable. `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as an alternative to `syscall_event_drops`, but with some differences. These counters reflect monotonic values since Falco's start and are exported at a constant stats interval. `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, providing information such as the number of invocations of each BPF program attached by Falco and the time spent in each program measured in nanoseconds. To enable this feature, the kernel must be >= 5.1, and the kernel configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, or an equivalent statistics feature, is not available for non `*bpf*` drivers. Additionally, please be aware that the current implementation of `libbpf` does not support granularity of statistics at the bpf tail call level. `include_empty_values`: When the option is set to true, fields with an empty numeric value will be included in the output. However, this rule does not apply to high-level fields such as `n_evts` or `n_drops`; they will always be included in the output even if their value is empty. This option can be beneficial for exploring the data schema and ensuring that fields with empty values are included in the output. todo: prometheus export option todo: syscall_counters_enabled option | +| falco.metrics | object | `{"convert_memory_to_mb":true,"enabled":false,"include_empty_values":false,"interval":"1h","kernel_event_counters_enabled":true,"kernel_event_counters_per_cpu_enabled":false,"libbpf_stats_enabled":true,"output_rule":true,"resource_utilization_enabled":true,"rules_counters_enabled":true,"state_counters_enabled":true}` | - [Usage] `enabled`: Disabled by default. `interval`: The stats interval in Falco follows the time duration definitions used by Prometheus. https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations Time durations are specified as a number, followed immediately by one of the following units: ms - millisecond s - second m - minute h - hour d - day - assuming a day has always 24h w - week - assuming a week has always 7d y - year - assuming a year has always 365d Example of a valid time duration: 1h30m20s10ms A minimum interval of 100ms is enforced for metric collection. However, for production environments, we recommend selecting one of the following intervals for optimal monitoring: 15m 30m 1h 4h 6h `output_rule`: To enable seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. `output_file`: Append stats to a `jsonl` file. Use with caution in production as Falco does not automatically rotate the file. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `rules_counters_enabled`: Emit counts for each rule. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `state_counters_enabled`: Emit counters related to Falco's state engine, including added, removed threads or file descriptors (fds), and failed lookup, store, or retrieve actions in relation to Falco's underlying process cache table (threadtable). We also log the number of currently cached containers if applicable. `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as an alternative to `syscall_event_drops`, but with some differences. These counters reflect monotonic values since Falco's start and are exported at a constant stats interval. `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters per CPU. Typically used when debugging and not in production. `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, providing information such as the number of invocations of each BPF program attached by Falco and the time spent in each program measured in nanoseconds. To enable this feature, the kernel must be >= 5.1, and the kernel configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, or an equivalent statistics feature, is not available for non `*bpf*` drivers. Additionally, please be aware that the current implementation of `libbpf` does not support granularity of statistics at the bpf tail call level. `include_empty_values`: When the option is set to true, fields with an empty numeric value will be included in the output. However, this rule does not apply to high-level fields such as `n_evts` or `n_drops`; they will always be included in the output even if their value is empty. This option can be beneficial for exploring the data schema and ensuring that fields with empty values are included in the output. todo: prometheus export option todo: syscall_counters_enabled option | | falco.output_timeout | int | `2000` | The `output_timeout` parameter specifies the duration, in milliseconds, to wait before considering the deadline exceeded. By default, the timeout is set to 2000ms (2 seconds), meaning that the consumer of Falco outputs can block the Falco output channel for up to 2 seconds without triggering a timeout error. Falco actively monitors the performance of output channels. With this setting the timeout error can be logged, but please note that this requires setting Falco's operational logs `log_level` to a minimum of `notice`. It's important to note that Falco outputs will not be discarded from the output queue. This means that if an output channel becomes blocked indefinitely, it indicates a potential issue that needs to be addressed by the user. | -| falco.outputs | object | `{"max_burst":1000,"rate":0}` | A throttling mechanism, implemented as a token bucket, can be used to control the rate of Falco outputs. Each event source has its own rate limiter, ensuring that alerts from one source do not affect the throttling of others. The following options control the mechanism: - rate: the number of tokens (i.e. right to send a notification) gained per second. When 0, the throttling mechanism is disabled. Defaults to 0. - max_burst: the maximum number of tokens outstanding. Defaults to 1000. For example, setting the rate to 1 allows Falco to send up to 1000 notifications initially, followed by 1 notification per second. The burst capacity is fully restored after 1000 seconds of no activity. Throttling can be useful in various scenarios, such as preventing notification floods, managing system load, controlling event processing, or complying with rate limits imposed by external systems or APIs. It allows for better resource utilization, avoids overwhelming downstream systems, and helps maintain a balanced and controlled flow of notifications. With the default settings, the throttling mechanism is disabled. | -| falco.outputs_queue | object | `{"capacity":0}` | Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter allows you to customize the queue capacity. Please refer to the official documentation: https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. On a healthy system with optimized Falco rules, the queue should not fill up. If it does, it is most likely happening due to the entire event flow being too slow, indicating that the server is under heavy load. `capacity`: the maximum number of items allowed in the queue is determined by this value. Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. In other words, when this configuration is set to 0, the number of allowed items is effectively set to the largest possible long value, disabling this setting. In the case of an unbounded queue, if the available memory on the system is consumed, the Falco process would be OOM killed. When using this option and setting the capacity, the current event would be dropped, and the event loop would continue. This behavior mirrors kernel-side event drops when the buffer between kernel space and user space is full. | +| falco.outputs_queue | object | `{"capacity":0}` | Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter allows you to customize the queue capacity. Please refer to the official documentation: https://uxlfoundation.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. On a healthy system with optimized Falco rules, the queue should not fill up. If it does, it is most likely happening due to the entire event flow being too slow, indicating that the server is under heavy load. `capacity`: the maximum number of items allowed in the queue is determined by this value. Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. In other words, when this configuration is set to 0, the number of allowed items is effectively set to the largest possible long value, disabling this setting. In the case of an unbounded queue, if the available memory on the system is consumed, the Falco process would be OOM killed. When using this option and setting the capacity, the current event would be dropped, and the event loop would continue. This behavior mirrors kernel-side event drops when the buffer between kernel space and user space is full. | | falco.plugins | list | `[{"init_config":null,"library_path":"libk8saudit.so","name":"k8saudit","open_params":"http://:9765/k8s-audit"},{"library_path":"libcloudtrail.so","name":"cloudtrail"},{"init_config":"","library_path":"libjson.so","name":"json"}]` | Customize subsettings for each enabled plugin. These settings will only be applied when the corresponding plugin is enabled using the `load_plugins` option. | | falco.priority | string | `"debug"` | Any rule with a priority level more severe than or equal to the specified minimum level will be loaded and run by Falco. This allows you to filter and control the rules based on their severity, ensuring that only rules of a certain priority or higher are active and evaluated by Falco. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug" | | falco.program_output | object | `{"enabled":false,"keep_alive":false,"program":"jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"}` | Redirect the output to another program or command. Possible additional things you might want to do with program output: - send to a slack webhook: program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" - logging (alternate method than syslog): program: logger -t falco-test - send over a network connection: program: nc host.example.com 80 If `keep_alive` is set to `true`, the program will be started once and continuously written to, with each output message on its own line. If `keep_alive` is set to `false`, the program will be re-spawned for each output message. Furthermore, the program will be re-spawned if Falco receives the SIGUSR1 signal. | | falco.rule_matching | string | `"first"` | - [Examples] Only enable two rules: rules: - disable: rule: "*" - enable: rule: Netcat Remote Code Execution in Container - enable: rule: Delete or rename shell history Disable all rules with a specific tag: rules: - disable: tag: network [Incubating] `rule_matching` - Falco has to be performant when evaluating rules against events. To quickly understand which rules could trigger on a specific event, Falco maintains buckets of rules sharing the same event type in a map. Then, the lookup in each bucket is performed through linear search. The `rule_matching` configuration key's values are: - "first": when evaluating conditions of rules in a bucket, Falco will stop to evaluate rules if it finds a matching rules. Since rules are stored in buckets in the order they are defined in the rules files, this option could prevent other rules to trigger even if their condition is met, causing a shadowing problem. - "all": with this value Falco will continue evaluating all the rules stored in the bucket, so that multiple rules could be triggered upon one event. | -| falco.rules_file | list | `["/etc/falco/falco_rules.yaml","/etc/falco/falco_rules.local.yaml","/etc/falco/rules.d"]` | The location of the rules files that will be consumed by Falco. | +| falco.rules_files | list | `["/etc/falco/falco_rules.yaml","/etc/falco/falco_rules.local.yaml","/etc/falco/rules.d"]` | The location of the rules files that will be consumed by Falco. | | falco.stdout_output | object | `{"enabled":true}` | Redirect logs to standard output. | | falco.syscall_event_drops | object | `{"actions":["log","alert"],"max_burst":1,"rate":0.03333,"simulate_drops":false,"threshold":0.1}` | For debugging/testing it is possible to simulate the drops using the `simulate_drops: true`. In this case the threshold does not apply. | | falco.syscall_event_drops.actions | list | `["log","alert"]` | Actions to be taken when system calls were dropped from the circular buffer. | @@ -722,12 +737,20 @@ The following table lists the main configurable parameters of the falco chart v4 | falcoctl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | | falcoctl.image.registry | string | `"docker.io"` | The image registry to pull from. | | falcoctl.image.repository | string | `"falcosecurity/falcoctl"` | The image repository to pull from. | -| falcoctl.image.tag | string | `"0.8.0"` | The image tag to pull. | +| falcoctl.image.tag | string | `"0.10.1"` | The image tag to pull. | | falcosidekick | object | `{"enabled":false,"fullfqdn":false,"listenPort":""}` | For configuration values, see https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/values.yaml | | falcosidekick.enabled | bool | `false` | Enable falcosidekick deployment. | | falcosidekick.fullfqdn | bool | `false` | Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). | | falcosidekick.listenPort | string | `""` | Listen port. Default value: 2801 | | fullnameOverride | string | `""` | Same as nameOverride but for the fullname. | +| grafana | object | `{"dashboards":{"configMaps":{"falco":{"folder":"","name":"falco-grafana-dashboard","namespace":""}},"enabled":false}}` | grafana contains the configuration related to grafana. | +| grafana.dashboards | object | `{"configMaps":{"falco":{"folder":"","name":"falco-grafana-dashboard","namespace":""}},"enabled":false}` | dashboards contains configuration for grafana dashboards. | +| grafana.dashboards.configMaps | object | `{"falco":{"folder":"","name":"falco-grafana-dashboard","namespace":""}}` | configmaps to be deployed that contain a grafana dashboard. | +| grafana.dashboards.configMaps.falco | object | `{"folder":"","name":"falco-grafana-dashboard","namespace":""}` | falco contains the configuration for falco's dashboard. | +| grafana.dashboards.configMaps.falco.folder | string | `""` | folder where the dashboard is stored by grafana. | +| grafana.dashboards.configMaps.falco.name | string | `"falco-grafana-dashboard"` | name specifies the name for the configmap. | +| grafana.dashboards.configMaps.falco.namespace | string | `""` | namespace specifies the namespace for the configmap. | +| grafana.dashboards.enabled | bool | `false` | enabled specifies whether the dashboards should be deployed. | | healthChecks | object | `{"livenessProbe":{"initialDelaySeconds":60,"periodSeconds":15,"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":30,"periodSeconds":15,"timeoutSeconds":5}}` | Parameters used | | healthChecks.livenessProbe.initialDelaySeconds | int | `60` | Tells the kubelet that it should wait X seconds before performing the first probe. | | healthChecks.livenessProbe.periodSeconds | int | `15` | Specifies that the kubelet should perform the check every x seconds. | @@ -737,27 +760,29 @@ The following table lists the main configurable parameters of the falco chart v4 | healthChecks.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | | image.registry | string | `"docker.io"` | The image registry to pull from. | -| image.repository | string | `"falcosecurity/falco-no-driver"` | The image repository to pull from | +| image.repository | string | `"falcosecurity/falco"` | The image repository to pull from | | image.tag | string | `""` | The image tag to pull. Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secrets containing credentials when pulling from private/secure registries. | -| metrics | object | `{"convertMemoryToMB":true,"enabled":false,"includeEmptyValues":false,"interval":"1h","kernelEventCountersEnabled":true,"libbpfStatsEnabled":true,"outputRule":false,"resourceUtilizationEnabled":true,"rulesCountersEnabled":true,"service":{"create":true,"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"},"stateCountersEnabled":true}` | metrics configures Falco to enable and expose the metrics. | +| metrics | object | `{"convertMemoryToMB":true,"enabled":false,"includeEmptyValues":false,"interval":"1h","kernelEventCountersEnabled":true,"kernelEventCountersPerCPUEnabled":false,"libbpfStatsEnabled":true,"outputRule":false,"resourceUtilizationEnabled":true,"rulesCountersEnabled":true,"service":{"annotations":{},"create":true,"labels":{},"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"},"stateCountersEnabled":true}` | metrics configures Falco to enable and expose the metrics. | | metrics.convertMemoryToMB | bool | `true` | convertMemoryToMB specifies whether the memory should be converted to mb. | | metrics.enabled | bool | `false` | enabled specifies whether the metrics should be enabled. | | metrics.includeEmptyValues | bool | `false` | includeEmptyValues specifies whether the empty values should be included in the metrics. | | metrics.interval | string | `"1h"` | interval is stats interval in Falco follows the time duration definitions used by Prometheus. https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations Time durations are specified as a number, followed immediately by one of the following units: ms - millisecond s - second m - minute h - hour d - day - assuming a day has always 24h w - week - assuming a week has always 7d y - year - assuming a year has always 365d Example of a valid time duration: 1h30m20s10ms A minimum interval of 100ms is enforced for metric collection. However, for production environments, we recommend selecting one of the following intervals for optimal monitoring: 15m 30m 1h 4h 6h | +| metrics.kernelEventCountersPerCPUEnabled | bool | `false` | kernelEventCountersPerCPUEnabled specifies whether the event counters per cpu should be enabled. | | metrics.libbpfStatsEnabled | bool | `true` | libbpfStatsEnabled exposes statistics similar to `bpftool prog show`, providing information such as the number of invocations of each BPF program attached by Falco and the time spent in each program measured in nanoseconds. To enable this feature, the kernel must be >= 5.1, and the kernel configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, or an equivalent statistics feature, is not available for non `*bpf*` drivers. Additionally, please be aware that the current implementation of `libbpf` does not support granularity of statistics at the bpf tail call level. | | metrics.outputRule | bool | `false` | outputRule enables seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. | | metrics.resourceUtilizationEnabled | bool | `true` | resourceUtilizationEnabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. | | metrics.rulesCountersEnabled | bool | `true` | rulesCountersEnabled specifies whether the counts for each rule should be emitted. | -| metrics.service | object | `{"create":true,"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"}` | service exposes the metrics service to be accessed from within the cluster. ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| metrics.service | object | `{"annotations":{},"create":true,"labels":{},"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"}` | service exposes the metrics service to be accessed from within the cluster. ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| metrics.service.annotations | object | `{}` | annotations to add to the service. | | metrics.service.create | bool | `true` | create specifies whether a service should be created. | +| metrics.service.labels | object | `{}` | labels to add to the service. | | metrics.service.ports | object | `{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}}` | ports denotes all the ports on which the Service will listen. | | metrics.service.ports.metrics | object | `{"port":8765,"protocol":"TCP","targetPort":8765}` | metrics denotes a listening service named "metrics". | | metrics.service.ports.metrics.port | int | `8765` | port is the port on which the Service will listen. | | metrics.service.ports.metrics.protocol | string | `"TCP"` | protocol specifies the network protocol that the Service should use for the associated port. | | metrics.service.ports.metrics.targetPort | int | `8765` | targetPort is the port on which the Pod is listening. | | metrics.service.type | string | `"ClusterIP"` | type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible from within the cluster. | -| mounts.enforceProcMount | bool | `false` | By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). | | mounts.volumeMounts | list | `[]` | A list of volumes you want to add to the Falco pods. | | mounts.volumes | list | `[]` | A list of volumes you want to add to the Falco pods. | | nameOverride | string | `""` | Put here the new name if you want to override the release name used for Falco components. | diff --git a/helm/falco/charts/falco/dashboards/falco-dashboard.json b/helm/falco/charts/falco/dashboards/falco-dashboard.json new file mode 100644 index 00000000..77895d32 --- /dev/null +++ b/helm/falco/charts/falco/dashboards/falco-dashboard.json @@ -0,0 +1,2631 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Falco is a cloud-native security tool designed for Linux systems. It employs custom rules on kernel events, which are enriched with container and Kubernetes metadata, to provide real-time alerts. Falco helps you gain visibility into abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "id": 41, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 7, + "panels": [], + "title": "Events", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 9, + "x": 0, + "y": 1 + }, + "id": 1, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(rule_name) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{rule_name}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Rules", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 9, + "y": 1 + }, + "id": 2, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(source) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": false, + "instant": false, + "legendFormat": "{{source}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Sources", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "fieldMinMax": false, + "mappings": [], + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "critical" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "notice" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "warning" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 7, + "x": 17, + "y": 1 + }, + "id": 3, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(priority) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{priority}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Priorities", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 14, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 5, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(priority) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Priority over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 14, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 18, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(source) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Source over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 15, + "w": 24, + "x": 0, + "y": 24 + }, + "id": 19, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Last *", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(rule_name) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Rule over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 39 + }, + "id": 8, + "panels": [], + "title": "Performances", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "total" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "total" + }, + "properties": [ + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 24, + "x": 0, + "y": 40 + }, + "id": 9, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(pod) (increase(falcosecurity_scap_n_evts_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "sum(irate(falcosecurity_falco_n_evts_total[$__interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "total", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Scap events by instance over time", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 0, + "y": 50 + }, + "id": 10, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod, raw_name) (falcosecurity_falco_memory_rss_bytes{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Memory RSS", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 12, + "y": 50 + }, + "id": 13, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Last", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod, raw_name) (falcosecurity_falco_memory_vsz_bytes{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - {{raw_name}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod, raw_name) (falcosecurity_falco_memory_vsz_bytes)", + "fullMetaSearch": false, + "hide": true, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Memory VSZ", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 24, + "x": 0, + "y": 62 + }, + "id": 11, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod) (falcosecurity_falco_cpu_usage_ratio{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 0, + "y": 74 + }, + "id": 14, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops total", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 12, + "y": 74 + }, + "id": 24, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_falco_outputs_queue_num_drops_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Queue Drops", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 16, + "w": 12, + "x": 0, + "y": 86 + }, + "id": 20, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"clone_fork\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - clone_fork", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"connect\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - connect", + "range": true, + "refId": "B", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"dir_file\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - dir_file", + "range": true, + "refId": "C", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"execve\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - execve", + "range": true, + "refId": "D", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"open\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - open", + "range": true, + "refId": "E", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"other_interest\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - other_interest", + "range": true, + "refId": "F", + "useBackend": false + } + ], + "title": "Scap Drops Buffer Enter", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 16, + "w": 12, + "x": 12, + "y": 86 + }, + "id": 26, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"clone_fork\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - clone_fork", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"connect\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - connect", + "range": true, + "refId": "B", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"dir_file\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - dir_file", + "range": true, + "refId": "C", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"execve\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - execve", + "range": true, + "refId": "D", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"open\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - open", + "range": true, + "refId": "E", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"other_interest\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - other_interest", + "range": true, + "refId": "F", + "useBackend": false + } + ], + "title": "Scap Drops Buffer Exit", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 0, + "y": 102 + }, + "id": 21, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_cpu_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops CPU", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 8, + "y": 102 + }, + "id": 22, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_full_threadtable_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops Full Threadtable", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 16, + "y": 102 + }, + "id": 23, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_scratch_map_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops Scratch Map", + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 114 + }, + "id": 15, + "panels": [], + "title": "Fleet", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 6, + "x": 0, + "y": 115 + }, + "id": 16, + "options": { + "displayLabels": [ + "name", + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "count by(version) (falcosecurity_falco_version_info{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Versions", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 6, + "x": 6, + "y": 115 + }, + "id": 17, + "options": { + "displayLabels": [ + "name", + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "count by(engine_name) (falcosecurity_scap_engine_name_info{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Engines", + "type": "piechart" + } + ], + "preload": false, + "refresh": "", + "schemaVersion": 40, + "tags": [ + "falco", + "kubernetes", + "security" + ], + "templating": { + "list": [ + { + "current": { + "text": "grafanacloud-issif-prom", + "value": "grafanacloud-prom" + }, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "type": "datasource" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_cpu_usage_ratio,namespace)", + "includeAll": true, + "multi": true, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_cpu_usage_ratio,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "type": "query" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_cpu_usage_ratio{namespace=~\"$namespace\"},pod)", + "includeAll": true, + "multi": true, + "name": "pod", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_cpu_usage_ratio{namespace=~\"$namespace\"},pod)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 1, + "type": "query" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", pod=~\"$pod\"},source)", + "includeAll": true, + "label": "source", + "multi": true, + "name": "source", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", pod=~\"$pod\"},source)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 4, + "type": "query" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", source=~\"$source\"},priority)", + "includeAll": true, + "label": "priority", + "multi": true, + "name": "priority", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", source=~\"$source\"},priority)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 4, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "browser", + "title": "Falco", + "uid": "ddwe2ug4nfi0wb", + "version": 46, + "weekStart": "" +} \ No newline at end of file diff --git a/helm/falco/charts/falco/templates/_helpers.tpl b/helm/falco/charts/falco/templates/_helpers.tpl index f611a539..8c44ace0 100644 --- a/helm/falco/charts/falco/templates/_helpers.tpl +++ b/helm/falco/charts/falco/templates/_helpers.tpl @@ -89,7 +89,7 @@ Return the proper Falco image name {{- . }}/ {{- end -}} {{- .Values.image.repository }}: -{{- .Values.image.tag | default .Chart.AppVersion -}} +{{- .Values.image.tag | default (printf "%s-debian" .Chart.AppVersion) -}} {{- end -}} {{/* @@ -280,8 +280,8 @@ be temporary and will stay here until we move this logic to the falcoctl tool. {{- with .Values.falcoctl.artifact.install.mounts.volumeMounts }} {{- toYaml . | nindent 4 }} {{- end }} - env: {{- if .Values.falcoctl.artifact.install.env }} + env: {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.install.env "context" $) | nindent 4 }} {{- end }} {{- end -}} @@ -314,8 +314,8 @@ be temporary and will stay here until we move this logic to the falcoctl tool. {{- with .Values.falcoctl.artifact.follow.mounts.volumeMounts }} {{- toYaml . | nindent 4 }} {{- end }} - env: {{- if .Values.falcoctl.artifact.follow.env }} + env: {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.follow.env "context" $) | nindent 4 }} {{- end }} {{- end -}} @@ -361,7 +361,7 @@ be temporary and will stay here until we move this logic to the falcoctl tool. {{- if not $hasConfig -}} {{- $listenPort := default (index .Values "k8s-metacollector" "service" "ports" "broker-grpc" "port") .Values.collectors.kubernetes.collectorPort -}} {{- $listenPort = int $listenPort -}} -{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodeName" "${FALCO_K8S_NODE_NAME}") -}} +{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodeName" "${FALCO_K8S_NODE_NAME}" "verbosity" .Values.collectors.kubernetes.verbosity "hostProc" .Values.collectors.kubernetes.hostProc) -}} {{- $newConfig := append .Values.falco.plugins $pluginConfig -}} {{- $_ := set .Values.falco "plugins" ($newConfig | uniq) -}} {{- $loadedPlugins := append .Values.falco.load_plugins "k8smeta" -}} @@ -414,7 +414,7 @@ true {{- end -}} {{/* -Based on the use input it populates the metrics configuration in the falco config map. +Based on the user input it populates the metrics configuration in the falco config map. */}} {{- define "falco.metricsConfiguration" -}} {{- if .Values.metrics.enabled -}} @@ -427,8 +427,30 @@ Based on the use input it populates the metrics configuration in the falco confi {{- $_ = set .Values.falco.metrics "resource_utilization_enabled" .Values.metrics.resourceUtilizationEnabled -}} {{- $_ = set .Values.falco.metrics "state_counters_enabled" .Values.metrics.stateCountersEnabled -}} {{- $_ = set .Values.falco.metrics "kernel_event_counters_enabled" .Values.metrics.kernelEventCountersEnabled -}} +{{- $_ = set .Values.falco.metrics "kernel_event_counters_per_cpu_enabled" .Values.metrics.kernelEventCountersPerCPUEnabled -}} {{- $_ = set .Values.falco.metrics "libbpf_stats_enabled" .Values.metrics.libbpfStatsEnabled -}} {{- $_ = set .Values.falco.metrics "convert_memory_to_mb" .Values.metrics.convertMemoryToMB -}} {{- $_ = set .Values.falco.metrics "include_empty_values" .Values.metrics.includeEmptyValues -}} {{- end -}} {{- end -}} + +{{/* +Based on the user input it populates the container_engines configuration in the falco config map. +*/}} +{{- define "falco.containerEnginesConfiguration" -}} +{{- if .Values.collectors.enabled -}} +{{- $criSockets := list -}} +{{- $criEnabled := false }} +{{- $_ := set .Values.falco.container_engines "docker" (dict "enabled" .Values.collectors.docker.enabled) -}} +{{- if or .Values.collectors.crio.enabled .Values.collectors.containerd.enabled }} +{{- $criEnabled = true }} +{{- end -}} +{{- if .Values.collectors.containerd.enabled -}} +{{- $criSockets = append $criSockets .Values.collectors.containerd.socket -}} +{{- end }} +{{- if .Values.collectors.crio.enabled -}} +{{- $criSockets = append $criSockets .Values.collectors.crio.socket -}} +{{- end -}} +{{- $_ = set .Values.falco.container_engines "cri" (dict "enabled" $criEnabled "sockets" $criSockets) -}} +{{- end -}} +{{- end -}} diff --git a/helm/falco/charts/falco/templates/configmap.yaml b/helm/falco/charts/falco/templates/configmap.yaml index f48fc88e..a163af5b 100644 --- a/helm/falco/charts/falco/templates/configmap.yaml +++ b/helm/falco/charts/falco/templates/configmap.yaml @@ -11,4 +11,5 @@ data: {{- include "k8smeta.configuration" . -}} {{- include "falco.engineConfiguration" . -}} {{- include "falco.metricsConfiguration" . -}} + {{- include "falco.containerEnginesConfiguration" . -}} {{- toYaml .Values.falco | nindent 4 }} diff --git a/helm/falco/charts/falco/templates/falco-dashboard-grafana.yaml b/helm/falco/charts/falco/templates/falco-dashboard-grafana.yaml new file mode 100644 index 00000000..2361f737 --- /dev/null +++ b/helm/falco/charts/falco/templates/falco-dashboard-grafana.yaml @@ -0,0 +1,22 @@ +{{- if .Values.grafana.dashboards.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.grafana.dashboards.configMaps.falco.name }} + {{ if .Values.grafana.dashboards.configMaps.falco.namespace }} + namespace: {{ .Values.grafana.dashboards.configMaps.falco.namespace }} + {{- else -}} + namespace: {{ include "falco.namespace" . }} + {{- end }} + labels: + {{- include "falco.labels" . | nindent 4 }} + grafana_dashboard: "1" + {{- if .Values.grafana.dashboards.configMaps.falco.folder }} + annotations: + k8s-sidecar-target-directory: /tmp/dashboards/{{ .Values.grafana.dashboards.configMaps.falco.folder}} + grafana_dashboard_folder: {{ .Values.grafana.dashboards.configMaps.falco.folder }} + {{- end }} +data: + falco-dashboard.json: |- + {{- .Files.Get "dashboards/falco-dashboard.json" | nindent 4 }} + {{- end -}} diff --git a/helm/falco/charts/falco/templates/pod-template.tpl b/helm/falco/charts/falco/templates/pod-template.tpl index 376c5177..f05441f7 100644 --- a/helm/falco/charts/falco/templates/pod-template.tpl +++ b/helm/falco/charts/falco/templates/pod-template.tpl @@ -12,6 +12,17 @@ metadata: {{- if and .Values.certs (not .Values.certs.existingSecret) }} checksum/certs: {{ include (print $.Template.BasePath "/certs-secret.yaml") . | sha256sum }} {{- end }} + {{- if .Values.driver.enabled }} + {{- if (or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf")) }} + {{- if .Values.driver.modernEbpf.leastPrivileged }} + container.apparmor.security.beta.kubernetes.io/{{ .Chart.Name }}: unconfined + {{- end }} + {{- else if eq .Values.driver.kind "ebpf" }} + {{- if .Values.driver.ebpf.leastPrivileged }} + container.apparmor.security.beta.kubernetes.io/{{ .Chart.Name }}: unconfined + {{- end }} + {{- end }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -49,6 +60,7 @@ spec: {{- if eq .Values.driver.kind "gvisor" }} hostNetwork: true hostPID: true + dnsPolicy: ClusterFirstWithHostNet {{- end }} containers: - name: {{ .Chart.Name }} @@ -63,18 +75,6 @@ spec: {{- include "falco.configSyscallSource" . | indent 8 }} {{- with .Values.collectors }} {{- if .enabled }} - {{- if .docker.enabled }} - - --cri - - /var/run/{{ base .docker.socket }} - {{- end }} - {{- if .containerd.enabled }} - - --cri - - /run/containerd/{{ base .containerd.socket }} - {{- end }} - {{- if .crio.enabled }} - - --cri - - /run/crio/{{ base .crio.socket }} - {{- end }} - -pk {{- end }} {{- end }} @@ -97,6 +97,10 @@ spec: {{- end }} tty: {{ .Values.tty }} {{- if .Values.falco.webserver.enabled }} + ports: + - containerPort: {{ .Values.falco.webserver.listen_port }} + name: web + protocol: TCP livenessProbe: initialDelaySeconds: {{ .Values.healthChecks.livenessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.healthChecks.livenessProbe.timeoutSeconds }} @@ -128,13 +132,15 @@ spec: - mountPath: /usr/share/falco/plugins name: plugins-install-dir {{- end }} + {{- end }} + {{- if eq (include "driverLoader.enabled" .) "true" }} + - mountPath: /etc/falco/config.d + name: specialized-falco-configs {{- end }} - mountPath: /root/.falco name: root-falco-fs - {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }} - mountPath: /host/proc name: proc-fs - {{- end }} {{- if and .Values.driver.enabled (not .Values.driver.loader.enabled) }} readOnly: true - mountPath: /host/boot @@ -151,12 +157,12 @@ spec: name: etc-fs readOnly: true {{- end -}} - {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }} + {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) }} - mountPath: /host/dev name: dev-fs readOnly: true - name: sys-fs - mountPath: /sys/module/falco + mountPath: /sys/module {{- end }} {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }} - name: debugfs @@ -190,7 +196,7 @@ spec: name: certs-volume readOnly: true {{- end }} - {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} + {{- if or .Values.certs.existingClientSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} - mountPath: /etc/falco/certs/client name: client-certs-volume readOnly: true @@ -227,6 +233,10 @@ spec: {{- include "falcoctl.initContainer" . | nindent 4 }} {{- end }} volumes: + {{- if eq (include "driverLoader.enabled" .) "true" }} + - name: specialized-falco-configs + emptyDir: {} + {{- end }} {{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }} - name: plugins-install-dir emptyDir: {} @@ -249,13 +259,13 @@ spec: hostPath: path: /etc {{- end }} - {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }} + {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) }} - name: dev-fs hostPath: path: /dev - name: sys-fs hostPath: - path: /sys/module/falco + path: /sys/module {{- end }} {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }} - name: debugfs @@ -281,11 +291,9 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }} - name: proc-fs hostPath: path: /proc - {{- end }} {{- if eq .Values.driver.kind "gvisor" }} - name: runsc-path hostPath: @@ -384,6 +392,8 @@ spec: - mountPath: /host/etc name: etc-fs readOnly: true + - mountPath: /etc/falco/config.d + name: specialized-falco-configs env: - name: HOST_ROOT value: /host @@ -395,6 +405,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: FALCOCTL_DRIVER_CONFIG_CONFIGMAP + value: {{ include "falco.fullname" . }} {{- else }} - name: FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO value: "false" diff --git a/helm/falco/charts/falco/templates/service.yaml b/helm/falco/charts/falco/templates/service.yaml index d2093ec2..4121a503 100644 --- a/helm/falco/charts/falco/templates/service.yaml +++ b/helm/falco/charts/falco/templates/service.yaml @@ -6,7 +6,14 @@ metadata: namespace: {{ include "falco.namespace" . }} labels: {{- include "falco.labels" . | nindent 4 }} + {{- with .Values.metrics.service.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} type: "falco-metrics" + {{- with .Values.metrics.service.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.metrics.service.type }} ports: diff --git a/helm/falco/charts/falco/templates/serviceMonitor.yaml b/helm/falco/charts/falco/templates/serviceMonitor.yaml index 0dea6dd6..6a80b713 100644 --- a/helm/falco/charts/falco/templates/serviceMonitor.yaml +++ b/helm/falco/charts/falco/templates/serviceMonitor.yaml @@ -37,6 +37,9 @@ spec: selector: matchLabels: {{- include "falco.selectorLabels" . | nindent 6 }} + {{- with .Values.serviceMonitor.selector }} + {{- toYaml . | nindent 6 }} + {{- end }} type: "falco-metrics" namespaceSelector: matchNames: diff --git a/helm/falco/charts/falco/tests/unit/chartInfo.go b/helm/falco/charts/falco/tests/unit/chartInfo.go new file mode 100644 index 00000000..11b4b3d9 --- /dev/null +++ b/helm/falco/charts/falco/tests/unit/chartInfo.go @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "gopkg.in/yaml.v3" +) + +func chartInfo(t *testing.T, chartPath string) (map[string]interface{}, error) { + // Get chart info. + output, err := helm.RunHelmCommandAndGetOutputE(t, &helm.Options{}, "show", "chart", chartPath) + if err != nil { + return nil, err + } + chartInfo := map[string]interface{}{} + err = yaml.Unmarshal([]byte(output), &chartInfo) + return chartInfo, err +} diff --git a/helm/falco/charts/falco/tests/unit/containerEnginesConfiguration_test.go b/helm/falco/charts/falco/tests/unit/containerEnginesConfiguration_test.go new file mode 100644 index 00000000..bfa43338 --- /dev/null +++ b/helm/falco/charts/falco/tests/unit/containerEnginesConfiguration_test.go @@ -0,0 +1,230 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "path/filepath" + "testing" + + "gopkg.in/yaml.v3" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" +) + +type Config struct { + ContainerEngines ContainerEngines `yaml:"container_engines"` +} + +type ContainerEngines struct { + Docker EngineConfig `yaml:"docker"` + Cri CriConfig `yaml:"cri"` + Podman EngineConfig `yaml:"podman"` + Lxc EngineConfig `yaml:"lxc"` + LibvirtLxc EngineConfig `yaml:"libvirt_lxc"` + Bpm EngineConfig `yaml:"bpm"` +} + +type EngineConfig struct { + Enabled bool `yaml:"enabled"` +} + +type CriConfig struct { + Enabled bool `yaml:"enabled"` + Sockets []string `yaml:"sockets"` + DisableAsync bool `yaml:"disable_async"` +} + +func TestContainerEnginesConfig(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + testCases := []struct { + name string + values map[string]string + expected func(t *testing.T, engines ContainerEngines) + }{ + { + "defaultValues", + nil, + func(t *testing.T, engines ContainerEngines) { + require.True(t, engines.Docker.Enabled) + require.True(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Contains(t, engines.Cri.Sockets, "/run/crio/crio.sock") + require.Contains(t, engines.Cri.Sockets, "/run/containerd/containerd.sock") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + { + "collectors disabled", + map[string]string{ + "collectors.enabled": "false", + }, + func(t *testing.T, engines ContainerEngines) { + require.False(t, engines.Docker.Enabled) + require.False(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Contains(t, engines.Cri.Sockets, "/run/crio/crio.sock") + require.Contains(t, engines.Cri.Sockets, "/run/containerd/containerd.sock") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + { + "Disable containerd", + map[string]string{ + "collectors.containerd.enabled": "false", + }, + func(t *testing.T, engines ContainerEngines) { + require.True(t, engines.Docker.Enabled) + require.True(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Len(t, engines.Cri.Sockets, 1) + require.Contains(t, engines.Cri.Sockets, "/run/crio/crio.sock") + require.NotContains(t, engines.Cri.Sockets, "/run/containerd/containerd.sock") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + { + "Customize containerd socket", + map[string]string{ + "collectors.containerd.socket": "/var/run/containerd/my.socket", + }, + func(t *testing.T, engines ContainerEngines) { + require.True(t, engines.Docker.Enabled) + require.True(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Len(t, engines.Cri.Sockets, 2) + require.Contains(t, engines.Cri.Sockets, "/run/crio/crio.sock") + require.Contains(t, engines.Cri.Sockets, "/var/run/containerd/my.socket") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + { + "Disable docker", + map[string]string{ + "collectors.docker.enabled": "false", + }, + func(t *testing.T, engines ContainerEngines) { + require.False(t, engines.Docker.Enabled) + require.True(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Len(t, engines.Cri.Sockets, 2) + require.Contains(t, engines.Cri.Sockets, "/run/crio/crio.sock") + require.Contains(t, engines.Cri.Sockets, "/run/containerd/containerd.sock") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + { + "Disable crio", + map[string]string{ + "collectors.crio.enabled": "false", + }, + func(t *testing.T, engines ContainerEngines) { + require.True(t, engines.Docker.Enabled) + require.True(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Len(t, engines.Cri.Sockets, 1) + require.NotContains(t, engines.Cri.Sockets, "/run/crio/crio.sock") + require.Contains(t, engines.Cri.Sockets, "/run/containerd/containerd.sock") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + { + "Customize crio socket", + map[string]string{ + "collectors.crio.socket": "/run/crio/my.socket", + }, + func(t *testing.T, engines ContainerEngines) { + require.True(t, engines.Docker.Enabled) + require.True(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Len(t, engines.Cri.Sockets, 2) + require.Contains(t, engines.Cri.Sockets, "/run/crio/my.socket") + require.Contains(t, engines.Cri.Sockets, "/run/containerd/containerd.sock") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + { + "Disable crio and containerd", + map[string]string{ + "collectors.crio.enabled": "false", + "collectors.containerd.enabled": "false", + }, + func(t *testing.T, engines ContainerEngines) { + require.True(t, engines.Docker.Enabled) + require.False(t, engines.Cri.Enabled) + require.False(t, engines.Cri.DisableAsync) + require.Len(t, engines.Cri.Sockets, 0) + require.NotContains(t, engines.Cri.Sockets, "/run/crio/my.socket") + require.NotContains(t, engines.Cri.Sockets, "/run/containerd/containerd.sock") + require.False(t, engines.Podman.Enabled) + require.False(t, engines.Lxc.Enabled) + require.False(t, engines.LibvirtLxc.Enabled) + require.False(t, engines.Bpm.Enabled) + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + t.Run(testCase.name, func(t *testing.T) { + t.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"}) + + var cm corev1.ConfigMap + helm.UnmarshalK8SYaml(t, output, &cm) + + var config map[string]interface{} + helm.UnmarshalK8SYaml(t, cm.Data["falco.yaml"], &config) + engineConfigString := config["container_engines"] + engineConfigBytes, err := yaml.Marshal(engineConfigString) + + var containerEngines ContainerEngines + err = yaml.Unmarshal(engineConfigBytes, &containerEngines) + require.NoError(t, err) + + testCase.expected(t, containerEngines) + }) + } +} diff --git a/helm/falco/charts/falco/tests/unit/driverLoader_test.go b/helm/falco/charts/falco/tests/unit/driverLoader_test.go index d6199041..6e4fe427 100644 --- a/helm/falco/charts/falco/tests/unit/driverLoader_test.go +++ b/helm/falco/charts/falco/tests/unit/driverLoader_test.go @@ -36,6 +36,11 @@ var ( }, }} + configmapEnvVar = v1.EnvVar{ + Name: "FALCOCTL_DRIVER_CONFIG_CONFIGMAP", + Value: releaseName + "-falco", + } + updateConfigMapEnvVar = v1.EnvVar{ Name: "FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO", Value: "false", @@ -64,7 +69,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "auto") require.True(t, *container.SecurityContext.Privileged) require.Contains(t, container.Env, namespaceEnvVar) + require.Contains(t, container.Env, configmapEnvVar) require.NotContains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -124,7 +133,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "kmod") require.True(t, *container.SecurityContext.Privileged) require.NotContains(t, container.Env, namespaceEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -139,7 +152,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "kmod") require.True(t, *container.SecurityContext.Privileged) require.NotContains(t, container.Env, namespaceEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -155,6 +172,10 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Nil(t, container.SecurityContext) require.NotContains(t, container.Env, namespaceEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -190,3 +211,55 @@ func TestDriverLoaderEnabled(t *testing.T) { }) } } + +// volumenMounts checks that the expected volume mounts have been configured. +func volumeMounts(t *testing.T, volumeMounts []v1.VolumeMount) { + rootFalcoFS := v1.VolumeMount{ + Name: "root-falco-fs", + ReadOnly: false, + MountPath: "/root/.falco", + } + require.Contains(t, volumeMounts, rootFalcoFS) + + procFS := v1.VolumeMount{ + Name: "proc-fs", + ReadOnly: true, + MountPath: "/host/proc", + } + require.Contains(t, volumeMounts, procFS) + + bootFS := v1.VolumeMount{ + Name: "boot-fs", + ReadOnly: true, + MountPath: "/host/boot", + } + require.Contains(t, volumeMounts, bootFS) + + libModulesFS := v1.VolumeMount{ + Name: "lib-modules", + ReadOnly: false, + MountPath: "/host/lib/modules", + } + require.Contains(t, volumeMounts, libModulesFS) + + usrFS := v1.VolumeMount{ + Name: "usr-fs", + ReadOnly: true, + MountPath: "/host/usr", + } + require.Contains(t, volumeMounts, usrFS) + + etcFS := v1.VolumeMount{ + Name: "etc-fs", + ReadOnly: true, + MountPath: "/host/etc", + } + require.Contains(t, volumeMounts, etcFS) + + specializedFalcoConfigs := v1.VolumeMount{ + Name: "specialized-falco-configs", + ReadOnly: false, + MountPath: "/etc/falco/config.d", + } + require.Contains(t, volumeMounts, specializedFalcoConfigs) +} diff --git a/helm/falco/charts/falco/tests/unit/grafanaDashboards_test.go b/helm/falco/charts/falco/tests/unit/grafanaDashboards_test.go new file mode 100644 index 00000000..75aa76df --- /dev/null +++ b/helm/falco/charts/falco/tests/unit/grafanaDashboards_test.go @@ -0,0 +1,144 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "fmt" + "io" + "os" + "path/filepath" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + corev1 "k8s.io/api/core/v1" +) + +type grafanaDashboardsTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestGrafanaDashboardsTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &grafanaDashboardsTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "falco-test-dashboard", + namespace: "falco-test-dashboard", + templates: []string{"templates/falco-dashboard-grafana.yaml"}, + }) +} + +func (g *grafanaDashboardsTemplateTest) TestCreationDefaultValues() { + // Render the dashboard configmap and check that it has not been rendered. + _, err := helm.RenderTemplateE(g.T(), &helm.Options{}, g.chartPath, g.releaseName, g.templates, fmt.Sprintf("--namespace=%s", g.namespace)) + g.Error(err, "should error") + g.Equal("error while running command: exit status 1; Error: could not find template templates/falco-dashboard-grafana.yaml in chart", err.Error()) +} + +func (g *grafanaDashboardsTemplateTest) TestConfig() { + testCases := []struct { + name string + values map[string]string + expected func(cm *corev1.ConfigMap) + }{ + {"dashboard enabled", + map[string]string{ + "grafana.dashboards.enabled": "true", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("falco-grafana-dashboard", cm.Name) + // Check the namespace. + g.Equal(g.namespace, cm.Namespace) + g.Nil(cm.Annotations) + }, + }, + {"namespace", + map[string]string{ + "grafana.dashboards.enabled": "true", + "grafana.dashboards.configMaps.falco.namespace": "custom-namespace", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("falco-grafana-dashboard", cm.Name) + // Check the namespace. + g.Equal("custom-namespace", cm.Namespace) + g.Nil(cm.Annotations) + }, + }, + {"folder", + map[string]string{ + "grafana.dashboards.enabled": "true", + "grafana.dashboards.configMaps.falco.folder": "custom-folder", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("falco-grafana-dashboard", cm.Name) + g.NotNil(cm.Annotations) + g.Len(cm.Annotations, 2) + // Check sidecar annotation. + val, ok := cm.Annotations["k8s-sidecar-target-directory"] + g.True(ok) + g.Equal("/tmp/dashboards/custom-folder", val) + // Check grafana annotation. + val, ok = cm.Annotations["grafana_dashboard_folder"] + g.True(ok) + g.Equal("custom-folder", val) + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + g.Run(testCase.name, func() { + subT := g.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + + // Render the configmap unmarshal it. + output, err := helm.RenderTemplateE(subT, options, g.chartPath, g.releaseName, g.templates, "--namespace="+g.namespace) + g.NoError(err, "should succeed") + var cfgMap corev1.ConfigMap + helm.UnmarshalK8SYaml(subT, output, &cfgMap) + + // Common checks + // Check that contains the right label. + g.Contains(cfgMap.Labels, "grafana_dashboard") + // Check that the dashboard is contained in the config map. + file, err := os.Open("../../dashboards/falco-dashboard.json") + g.NoError(err) + content, err := io.ReadAll(file) + g.NoError(err) + cfgData, ok := cfgMap.Data["falco-dashboard.json"] + g.True(ok) + g.Equal(strings.TrimRight(string(content), "\n"), cfgData) + testCase.expected(&cfgMap) + }) + } +} diff --git a/helm/falco/charts/falco/tests/unit/k8smetacollectorDependency_test.go b/helm/falco/charts/falco/tests/unit/k8smetacollectorDependency_test.go index 6e886a05..f06ea4d4 100644 --- a/helm/falco/charts/falco/tests/unit/k8smetacollectorDependency_test.go +++ b/helm/falco/charts/falco/tests/unit/k8smetacollectorDependency_test.go @@ -23,10 +23,11 @@ import ( "strings" "testing" + "slices" + "github.com/gruntwork-io/terratest/modules/helm" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - "slices" ) const chartPath = "../../" @@ -114,6 +115,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -124,7 +126,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) - + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] require.Equal(t, "libk8smeta.so", libPath) @@ -140,6 +147,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -150,6 +158,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.test.svc", releaseName), hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -166,6 +180,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -176,6 +191,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "collector.default.svc", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -194,6 +215,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -204,6 +226,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "collector.test.svc", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -220,6 +248,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -230,6 +259,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "test", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -249,6 +284,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -259,6 +295,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "test-with-override", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -286,6 +328,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -293,7 +341,40 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { }, }, { - "drive disabled", + "set collector logger level and hostProc", + map[string]string{ + "collectors.kubernetes.verbosity": "trace", + "collectors.kubernetes.hostProc": "/host/test", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "trace", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host/test", hostProc.(string)) + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + { + "driver disabled", map[string]string{ "driver.enabled": "false", }, @@ -462,7 +543,7 @@ func TestFalcoctlRefs(t *testing.T) { refs := artifactConfig["install"].(map[string]interface{})["refs"].([]interface{}) require.Len(t, refs, 2) require.True(t, slices.Contains(refs, "falco-rules:3")) - require.True(t, slices.Contains(refs, "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0")) + require.True(t, slices.Contains(refs, "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1")) } testCases := []struct { diff --git a/helm/falco/charts/falco/tests/unit/metricsConfig_test.go b/helm/falco/charts/falco/tests/unit/metricsConfig_test.go index 2d0cc33d..e983f58c 100644 --- a/helm/falco/charts/falco/tests/unit/metricsConfig_test.go +++ b/helm/falco/charts/falco/tests/unit/metricsConfig_test.go @@ -26,16 +26,17 @@ import ( ) type metricsConfig struct { - Enabled bool `yaml:"enabled"` - ConvertMemoryToMB bool `yaml:"convert_memory_to_mb"` - IncludeEmptyValues bool `yaml:"include_empty_values"` - KernelEventCountersEnabled bool `yaml:"kernel_event_counters_enabled"` - ResourceUtilizationEnabled bool `yaml:"resource_utilization_enabled"` - RulesCountersEnabled bool `yaml:"rules_counters_enabled"` - LibbpfStatsEnabled bool `yaml:"libbpf_stats_enabled"` - OutputRule bool `yaml:"output_rule"` - StateCountersEnabled bool `yaml:"state_counters_enabled"` - Interval string `yaml:"interval"` + Enabled bool `yaml:"enabled"` + ConvertMemoryToMB bool `yaml:"convert_memory_to_mb"` + IncludeEmptyValues bool `yaml:"include_empty_values"` + KernelEventCountersEnabled bool `yaml:"kernel_event_counters_enabled"` + KernelEventCountersPerCPUEnabled bool `yaml:"kernel_event_counters_per_cpu_enabled"` + ResourceUtilizationEnabled bool `yaml:"resource_utilization_enabled"` + RulesCountersEnabled bool `yaml:"rules_counters_enabled"` + LibbpfStatsEnabled bool `yaml:"libbpf_stats_enabled"` + OutputRule bool `yaml:"output_rule"` + StateCountersEnabled bool `yaml:"state_counters_enabled"` + Interval string `yaml:"interval"` } type webServerConfig struct { @@ -63,7 +64,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { "defaultValues", nil, func(t *testing.T, metricsConfig, webServerConfig any) { - require.Len(t, metricsConfig, 10, "should have ten items") + require.Len(t, metricsConfig, 11, "should have ten items") metrics, err := getMetricsConfig(metricsConfig) require.NoError(t, err) @@ -78,6 +79,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { require.True(t, metrics.LibbpfStatsEnabled) require.True(t, metrics.OutputRule) require.True(t, metrics.StateCountersEnabled) + require.False(t, metrics.KernelEventCountersPerCPUEnabled) webServer, err := getWebServerConfig(webServerConfig) require.NoError(t, err) @@ -92,7 +94,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { "metrics.enabled": "true", }, func(t *testing.T, metricsConfig, webServerConfig any) { - require.Len(t, metricsConfig, 10, "should have ten items") + require.Len(t, metricsConfig, 11, "should have ten items") metrics, err := getMetricsConfig(metricsConfig) require.NoError(t, err) @@ -107,6 +109,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { require.True(t, metrics.LibbpfStatsEnabled) require.False(t, metrics.OutputRule) require.True(t, metrics.StateCountersEnabled) + require.False(t, metrics.KernelEventCountersPerCPUEnabled) webServer, err := getWebServerConfig(webServerConfig) require.NoError(t, err) @@ -118,19 +121,20 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { { "Flip/Change Values", map[string]string{ - "metrics.enabled": "true", - "metrics.convertMemoryToMB": "false", - "metrics.includeEmptyValues": "true", - "metrics.kernelEventCountersEnabled": "false", - "metrics.resourceUtilizationEnabled": "false", - "metrics.rulesCountersEnabled": "false", - "metrics.libbpfStatsEnabled": "false", - "metrics.outputRule": "false", - "metrics.stateCountersEnabled": "false", - "metrics.interval": "1s", + "metrics.enabled": "true", + "metrics.convertMemoryToMB": "false", + "metrics.includeEmptyValues": "true", + "metrics.kernelEventCountersEnabled": "false", + "metrics.resourceUtilizationEnabled": "false", + "metrics.rulesCountersEnabled": "false", + "metrics.libbpfStatsEnabled": "false", + "metrics.outputRule": "false", + "metrics.stateCountersEnabled": "false", + "metrics.interval": "1s", + "metrics.kernelEventCountersPerCPUEnabled": "true", }, func(t *testing.T, metricsConfig, webServerConfig any) { - require.Len(t, metricsConfig, 10, "should have ten items") + require.Len(t, metricsConfig, 11, "should have ten items") metrics, err := getMetricsConfig(metricsConfig) require.NoError(t, err) @@ -145,6 +149,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { require.False(t, metrics.LibbpfStatsEnabled) require.False(t, metrics.OutputRule) require.False(t, metrics.StateCountersEnabled) + require.True(t, metrics.KernelEventCountersPerCPUEnabled) webServer, err := getWebServerConfig(webServerConfig) require.NoError(t, err) diff --git a/helm/falco/charts/falco/tests/unit/serviceMonitorTemplate_test.go b/helm/falco/charts/falco/tests/unit/serviceMonitorTemplate_test.go index b2fcb374..ea914e28 100644 --- a/helm/falco/charts/falco/tests/unit/serviceMonitorTemplate_test.go +++ b/helm/falco/charts/falco/tests/unit/serviceMonitorTemplate_test.go @@ -83,7 +83,12 @@ func (s *serviceMonitorTemplateTest) TestEndpoint() { } func (s *serviceMonitorTemplateTest) TestNamespaceSelector() { - options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}} + selectorsLabelJson := `{ + "app.kubernetes.io/instance": "my-falco", + "foo": "bar" + }` + options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}, + SetJsonValues: map[string]string{"serviceMonitor.selector": selectorsLabelJson}} output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, s.templates) var svcMonitor monitoringv1.ServiceMonitor @@ -91,3 +96,64 @@ func (s *serviceMonitorTemplateTest) TestNamespaceSelector() { s.Len(svcMonitor.Spec.NamespaceSelector.MatchNames, 1) s.Equal("default", svcMonitor.Spec.NamespaceSelector.MatchNames[0]) } + +func (s *serviceMonitorTemplateTest) TestServiceMonitorSelector() { + testCases := []struct { + name string + values string + expected map[string]string + }{ + { + "defaultValues", + "", + map[string]string{ + "app.kubernetes.io/instance": "falco-test", + "app.kubernetes.io/name": "falco", + "type": "falco-metrics", + }, + }, + { + "customValues", + `{ + "foo": "bar" + }`, + map[string]string{ + "app.kubernetes.io/instance": "falco-test", + "app.kubernetes.io/name": "falco", + "foo": "bar", + "type": "falco-metrics", + }, + }, + { + "overwriteDefaultValues", + `{ + "app.kubernetes.io/instance": "falco-overwrite", + "foo": "bar" + }`, + map[string]string{ + "app.kubernetes.io/instance": "falco-overwrite", + "app.kubernetes.io/name": "falco", + "foo": "bar", + "type": "falco-metrics", + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}, + SetJsonValues: map[string]string{"serviceMonitor.selector": testCase.values}} + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, s.templates) + + var svcMonitor monitoringv1.ServiceMonitor + helm.UnmarshalK8SYaml(s.T(), output, &svcMonitor) + + s.Equal(testCase.expected, svcMonitor.Spec.Selector.MatchLabels, "should be the same") + }) + } +} diff --git a/helm/falco/charts/falco/tests/unit/serviceTemplate_test.go b/helm/falco/charts/falco/tests/unit/serviceTemplate_test.go new file mode 100644 index 00000000..861159a6 --- /dev/null +++ b/helm/falco/charts/falco/tests/unit/serviceTemplate_test.go @@ -0,0 +1,178 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "fmt" + "path/filepath" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + corev1 "k8s.io/api/core/v1" +) + +type serviceTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestServiceTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &serviceTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "falco-test", + namespace: "falco-namespace-test", + templates: []string{"templates/service.yaml"}, + }) +} + +func (s *serviceTemplateTest) TestCreationDefaultValues() { + // Render the service and check that it has not been rendered. + _, err := helm.RenderTemplateE(s.T(), &helm.Options{}, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) +} + +func (s *serviceTemplateTest) TestDefaultLabelsValues() { + options := &helm.Options{SetValues: map[string]string{"metrics.enabled": "true"}} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should render template") + + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Get app version. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version in chart info") + appVersion = appVersion.(string) + // Get chart version. + chartVersion, found := cInfo["version"] + s.True(found, "should find chart version in chart info") + // Get chart name. + chartName, found := cInfo["name"] + s.True(found, "should find chart name in chart info") + chartName = chartName.(string) + expectedLabels := map[string]string{ + "helm.sh/chart": fmt.Sprintf("%s-%s", chartName, chartVersion), + "app.kubernetes.io/name": chartName.(string), + "app.kubernetes.io/instance": s.releaseName, + "app.kubernetes.io/version": appVersion.(string), + "app.kubernetes.io/managed-by": "Helm", + "type": "falco-metrics", + } + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + labels := svc.GetLabels() + for key, value := range labels { + expectedVal := expectedLabels[key] + s.Equal(expectedVal, value) + } + + for key, value := range expectedLabels { + expectedVal := labels[key] + s.Equal(expectedVal, value) + } +} + + +func (s *serviceTemplateTest) TestCustomLabelsValues() { + options := &helm.Options{SetValues: map[string]string{"metrics.enabled": "true", + "metrics.service.labels.customLabel": "customLabelValues"}} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + + + s.NoError(err, "should render template") + + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Get app version. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version in chart info") + appVersion = appVersion.(string) + // Get chart version. + chartVersion, found := cInfo["version"] + s.True(found, "should find chart version in chart info") + // Get chart name. + chartName, found := cInfo["name"] + s.True(found, "should find chart name in chart info") + chartName = chartName.(string) + expectedLabels := map[string]string{ + "helm.sh/chart": fmt.Sprintf("%s-%s", chartName, chartVersion), + "app.kubernetes.io/name": chartName.(string), + "app.kubernetes.io/instance": s.releaseName, + "app.kubernetes.io/version": appVersion.(string), + "app.kubernetes.io/managed-by": "Helm", + "type": "falco-metrics", + "customLabel": "customLabelValues", + } + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + labels := svc.GetLabels() + for key, value := range labels { + expectedVal := expectedLabels[key] + s.Equal(expectedVal, value) + } + + for key, value := range expectedLabels { + expectedVal := labels[key] + s.Equal(expectedVal, value) + } + +} + +func (s *serviceTemplateTest) TestDefaultAnnotationsValues() { + options := &helm.Options{SetValues: map[string]string{"metrics.enabled": "true"}} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + + s.NoError(err) + + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + s.Nil(svc.Annotations, "should be nil") +} + +func (s *serviceTemplateTest) TestCustomAnnotationsValues() { + values := map[string]string{ + "metrics.enabled": "true", + "metrics.service.annotations.annotation1": "customAnnotation1", + "metrics.service.annotations.annotation2": "customAnnotation2", + } + annotations := map[string]string{ + "annotation1": "customAnnotation1", + "annotation2": "customAnnotation2", + } + options := &helm.Options{SetValues: values} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + s.NoError(err) + + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + s.Len(svc.Annotations, 2) + + for key, value := range svc.Annotations { + expectedVal := annotations[key] + s.Equal(expectedVal, value) + } +} \ No newline at end of file diff --git a/helm/falco/charts/falco/values-k8saudit.yaml b/helm/falco/charts/falco/values-k8saudit.yaml index 21d93236..4e1e19cf 100644 --- a/helm/falco/charts/falco/values-k8saudit.yaml +++ b/helm/falco/charts/falco/values-k8saudit.yaml @@ -14,7 +14,6 @@ controller: # For more info check the section on Plugins in the README.md file. replicas: 1 - falcoctl: artifact: install: @@ -27,10 +26,10 @@ falcoctl: artifact: install: # -- List of artifacts to be installed by the falcoctl init container. - refs: [k8saudit-rules:0.7] + refs: [k8saudit-rules:0.11, k8saudit:0.11] follow: # -- List of artifacts to be followed by the falcoctl sidecar container. - refs: [k8saudit-rules:0.7] + refs: [k8saudit-rules:0.11] services: - name: k8saudit-webhook @@ -41,7 +40,7 @@ services: protocol: TCP falco: - rules_file: + rules_files: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins: diff --git a/helm/falco/charts/falco/values-syscall-k8saudit.yaml b/helm/falco/charts/falco/values-syscall-k8saudit.yaml index 91dcdbd1..bedc9020 100644 --- a/helm/falco/charts/falco/values-syscall-k8saudit.yaml +++ b/helm/falco/charts/falco/values-syscall-k8saudit.yaml @@ -30,10 +30,10 @@ falcoctl: artifact: install: # -- List of artifacts to be installed by the falcoctl init container. - refs: [falco-rules:3, k8saudit-rules:0.7] + refs: [falco-rules:3, k8saudit-rules:0.11, k8saudit:0.11] follow: # -- List of artifacts to be followed by the falcoctl sidecar container. - refs: [falco-rules:3, k8saudit-rules:0.7] + refs: [falco-rules:3, k8saudit-rules:0.11, k8saudit:0.11] services: - name: k8saudit-webhook @@ -44,7 +44,7 @@ services: protocol: TCP falco: - rules_file: + rules_files: - /etc/falco/falco_rules.yaml - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d diff --git a/helm/falco/charts/falco/values.yaml b/helm/falco/charts/falco/values.yaml index 15e7dd1d..1da589ea 100644 --- a/helm/falco/charts/falco/values.yaml +++ b/helm/falco/charts/falco/values.yaml @@ -10,7 +10,7 @@ image: # -- The image registry to pull from. registry: docker.io # -- The image repository to pull from - repository: falcosecurity/falco-no-driver + repository: falcosecurity/falco # -- The image tag to pull. Overrides the image tag whose default is the chart appVersion. tag: "" @@ -240,6 +240,8 @@ metrics: convertMemoryToMB: true # -- includeEmptyValues specifies whether the empty values should be included in the metrics. includeEmptyValues: false + # -- kernelEventCountersPerCPUEnabled specifies whether the event counters per cpu should be enabled. + kernelEventCountersPerCPUEnabled: false # -- service exposes the metrics service to be accessed from within the cluster. # ref: https://kubernetes.io/docs/concepts/services-networking/service/ service: @@ -248,6 +250,10 @@ metrics: # -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible # from within the cluster. type: ClusterIP + # -- labels to add to the service. + labels: {} + # -- annotations to add to the service. + annotations: {} # -- ports denotes all the ports on which the Service will listen. ports: # -- metrics denotes a listening service named "metrics". @@ -265,8 +271,6 @@ mounts: volumes: [] # -- A list of volumes you want to add to the Falco pods. volumeMounts: [] - # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). - enforceProcMount: false # Driver settings (scenario requirement) driver: @@ -295,7 +299,7 @@ driver: # Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. # On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. # Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. - # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 + # Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe leastPrivileged: false # -- bufSizePreset determines the size of the shared space between Falco and its drivers. # This shared space serves as a temporary storage for syscall events. @@ -306,7 +310,7 @@ driver: # -- Constrain Falco with capabilities instead of running a privileged container. # Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). # Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. - # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 + # Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe leastPrivileged: false # -- bufSizePreset determines the size of the shared space between Falco and its drivers. # This shared space serves as a temporary storage for syscall events. @@ -388,7 +392,7 @@ collectors: enabled: false # --pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: # "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. - pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0" + pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1" # -- collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match # k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override # it, make sure to set here the address of the k8s-metacollector. @@ -398,7 +402,13 @@ collectors: # the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000. # It is used by the k8smeta plugin to connect to the k8s-metacollector. collectorPort: "" - + # verbosity level for the plugin logger: trace, debug, info, warning, error, critical. + verbosity: info + # The plugin needs to scan the '/proc' of the host on which is running. + # In Falco usually we put the host '/proc' folder under '/host/proc' so + # the default for this config is '/host'. + # The path used here must not have a final '/'. + hostProc: /host ########################### # Extras and customization # @@ -471,7 +481,7 @@ falcoctl: # -- The image repository to pull from. repository: falcosecurity/falcoctl # -- The image tag to pull. - tag: "0.8.0" + tag: "0.10.1" artifact: # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before # Falco starts. It provides them to Falco by using an emptyDir volume. @@ -511,8 +521,8 @@ falcoctl: # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview indexes: - - name: falcosecurity - url: https://falcosecurity.github.io/falcoctl/index.yaml + - name: falcosecurity + url: https://falcosecurity.github.io/falcoctl/index.yaml # -- Configuration used by the artifact commands. artifact: # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained @@ -567,7 +577,8 @@ serviceMonitor: # scraping metrics from a service. It allows you to define the details of the TLS connection, such as # CA certificate, client certificate, and client key. Currently, the k8s-metacollector does not support # TLS configuration for the metrics endpoint. - tlsConfig: {} + tlsConfig: + {} # insecureSkipVerify: false # caFile: /path/to/ca.crt # certFile: /path/to/client.crt @@ -584,6 +595,22 @@ serviceMonitor: # for Falco's metrics. endpointPort: "metrics" +# -- grafana contains the configuration related to grafana. +grafana: + # -- dashboards contains configuration for grafana dashboards. + dashboards: + # -- enabled specifies whether the dashboards should be deployed. + enabled: false + # --configmaps to be deployed that contain a grafana dashboard. + configMaps: + # -- falco contains the configuration for falco's dashboard. + falco: + # -- name specifies the name for the configmap. + name: falco-grafana-dashboard + # -- namespace specifies the namespace for the configmap. + namespace: "" + # -- folder where the dashboard is stored by grafana. + folder: "" ###################### # falco.yaml config # @@ -621,7 +648,7 @@ falco: # desired customizations and rule behaviors are prioritized and applied as # intended. # -- The location of the rules files that will be consumed by Falco. - rules_file: + rules_files: - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules.local.yaml - /etc/falco/rules.d @@ -677,12 +704,11 @@ falco: rule_matching: first - # [Incubating] `outputs_queue` # # -- Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter # allows you to customize the queue capacity. Please refer to the official documentation: - # https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. + # https://uxlfoundation.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. # On a healthy system with optimized Falco rules, the queue should not fill up. # If it does, it is most likely happening due to the entire event flow being too slow, # indicating that the server is under heavy load. @@ -699,7 +725,6 @@ falco: outputs_queue: capacity: 0 - ################# # Falco plugins # ################# @@ -834,6 +859,15 @@ falco: # be added at a later stage, it is recommended to turn it off. json_include_tags_property: true + # [Incubating] `json_include_message_property` + # + # When using JSON output in Falco, you have the option to include the formatted + # rule output without timestamp or priority. For instance, if a rule specifies + # an "output" property like "Opened process %proc.name" the "message" field will + # only contain "Opened process bash" whereas the "output" field will contain more + # information. + json_include_message_property: false + # [Stable] `buffered_outputs` # # -- Enabling buffering for the output queue can offer performance optimization, @@ -841,30 +875,48 @@ falco: # output mechanism. By default, buffering is disabled (false). buffered_outputs: false - # [Stable] `outputs` - # - # -- A throttling mechanism, implemented as a token bucket, can be used to control - # the rate of Falco outputs. Each event source has its own rate limiter, - # ensuring that alerts from one source do not affect the throttling of others. - # The following options control the mechanism: - # - rate: the number of tokens (i.e. right to send a notification) gained per - # second. When 0, the throttling mechanism is disabled. Defaults to 0. - # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. + # [Sandbox] `append_output` + # + # Add information to the Falco output. + # With this setting you can add more information to the Falco output message, customizable by + # rule, tag or source. + # You can also add additional data that will appear in the output_fields property + # of JSON formatted messages or gRPC output but will not be part of the regular output message. + # This allows you to add custom fields that can help you filter your Falco events without + # polluting the message text. + # + # Each append_output entry has an optional `match` map which specifies which rules will be + # affected. + # `match`: + # `rule`: append output only to a specific rule + # `source`: append output only to a specific source + # `tags`: append output only to rules that have all of the specified tags + # If none of the above are specified (or `match` is omitted) + # output is appended to all events. + # If more than one match condition is specified output will be appended to events + # that match all conditions. + # And several options to add output: + # `extra_output`: add output to the Falco message + # `extra_fields`: add new fields to the JSON output and structured output, which will not + # affect the regular Falco message in any way. These can be specified as a + # custom name with a custom format or as any supported field + # (see: https://falco.org/docs/reference/rules/supported-fields/) # - # For example, setting the rate to 1 allows Falco to send up to 1000 - # notifications initially, followed by 1 notification per second. The burst - # capacity is fully restored after 1000 seconds of no activity. + # Example: # - # Throttling can be useful in various scenarios, such as preventing notification - # floods, managing system load, controlling event processing, or complying with - # rate limits imposed by external systems or APIs. It allows for better resource - # utilization, avoids overwhelming downstream systems, and helps maintain a - # balanced and controlled flow of notifications. + # append_output: + # - match: + # source: syscall + # extra_output: "on CPU %evt.cpu" + # extra_fields: + # - home_directory: "${HOME}" + # - evt.hostname # - # With the default settings, the throttling mechanism is disabled. - outputs: - rate: 0 - max_burst: 1000 + # In the example above every event coming from the syscall source will get an extra message + # at the end telling the CPU number. In addition, if `json_output` is true, in the "output_fields" + # property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the + # environment variable $HOME, and "evt.hostname" which will contain the hostname. + append_output: [] ########################## # Falco outputs channels # @@ -1323,6 +1375,9 @@ falco: # counters reflect monotonic values since Falco's start and are exported at a # constant stats interval. # + # `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters + # per CPU. Typically used when debugging and not in production. + # # `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, # providing information such as the number of invocations of each BPF program # attached by Falco and the time spent in each program measured in nanoseconds. @@ -1352,7 +1407,7 @@ falco: libbpf_stats_enabled: true convert_memory_to_mb: true include_empty_values: false - + kernel_event_counters_per_cpu_enabled: false ####################################### # Falco performance tuning (advanced) # @@ -1473,7 +1528,6 @@ falco: custom_set: [] repair: false - ############## # Falco libs # ############## @@ -1497,33 +1551,44 @@ falco: falco_libs: thread_table_size: 262144 - # [Stable] Guidance for Kubernetes container engine command-line args settings - # - # Modern cloud environments, particularly Kubernetes, heavily rely on - # containerized workload deployments. When capturing events with Falco, it - # becomes essential to identify the owner of the workload for which events are - # being captured, such as syscall events. Falco integrates with the container - # runtime to enrich its events with container information, including fields like - # `container.image.repository`, `container.image.tag`, ... , `k8s.ns.name`, - # `k8s.pod.name`, `k8s.pod.*` in the Falco output (Falco retrieves Kubernetes - # namespace and pod name directly from the container runtime, see - # https://falco.org/docs/reference/rules/supported-fields/#field-class-container). - # - # Furthermore, Falco exposes container events themselves as a data source for - # alerting. To achieve this integration with the container runtime, Falco - # requires access to the runtime socket. By default, for Kubernetes, Falco - # attempts to connect to the following sockets: - # "/run/containerd/containerd.sock", "/run/crio/crio.sock", - # "/run/k3s/containerd/containerd.sock". If you have a custom path, you can use - # the `--cri` option to specify the correct location. - # - # In some cases, you may encounter empty fields for container metadata. To - # address this, you can explore the `--disable-cri-async` option, which disables - # asynchronous fetching if the fetch operation is not completing quickly enough. - # - # To get more information on these command-line arguments, you can run `falco - # --help` in your terminal to view their current descriptions. - # - # !!! The options mentioned here are not available in the falco.yaml - # configuration file. Instead, they can can be used as a command-line argument - # when running the Falco command. + + # [Incubating] `container_engines` + # + # This option allows you to explicitly enable or disable API lookups against container + # runtime sockets for each supported container runtime. + # Access to these sockets enables Falco to retrieve container and Kubernetes fields, + # helping identify workload owners in modern containerized environments. + # Refer to the fields docs: + # + # - [Kubernetes fields](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s) + # - [Container fields](https://falco.org/docs/reference/rules/supported-fields/#container) + # + # Additionally, Falco can use container events as a data source for alerting (evt.type = container). + # + # For most container engines, you can solely enable or disable them, and Falco will search the + # default (hard-coded) container runtime socket paths, such as `/var/run/docker.sock` for Docker. + # + # However, for Kubernetes settings, you can customize the CRI socket paths: + # + # - `container_engines.cri.sockets`: Pass a list of container runtime sockets. + # - `container_engines.cri.disable_async`: Since API lookups may not always be quick or + # perfect, resulting in empty fields for container metadata, you can use this option option + # to disable asynchronous fetching. Note that missing fields may still occasionally occur. + + # Please use the collectors section to configure the container engines. + + container_engines: + docker: + enabled: false + cri: + enabled: false + sockets: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"] + disable_async: false + podman: + enabled: false + lxc: + enabled: false + libvirt_lxc: + enabled: false + bpm: + enabled: false diff --git a/helm/falco/charts/falcosidekick/CHANGELOG.md b/helm/falco/charts/falcosidekick/CHANGELOG.md index ac595c0c..634a8b00 100644 --- a/helm/falco/charts/falcosidekick/CHANGELOG.md +++ b/helm/falco/charts/falcosidekick/CHANGELOG.md @@ -5,25 +5,77 @@ numbering uses [semantic versioning](http://semver.org). Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). +## 0.9.5 + +- Move the `prometheus.io/scrape` annotation to the default values, to allow overrides. + +## 0.9.4 + +- Fix Prometheus metrics names in Prometheus Rule + +## 0.9.3 + +- Add a Grafana dashboard for the Prometheus metrics + +## 0.9.2 + +- Add new dashboard with Loki + +## 0.9.1 + +- Ugrade to Falcosidekick 2.30.0 + +## 0.8.9 + +- Fix customConfig mount path for webui redis + +## 0.8.8 + +- Fix customConfig template for webui redis + +## 0.8.7 + +- Fix securityContext for webui initContainer + +## 0.8.6 + +- Use of `redis-cli` by the initContainer of Falcosidekick-UI to wait til the redis is up and running +- Add the possibility to override the default redis server settings +- Allow to set up a password to use with an external redis +- Fix wrong value used for `OTLP_TRACES_PROTOCOL` env var +- Used names for the priorities in the prometheus rules + +## 0.8.5 + +- Fix an issue with the by default missing custom CA cert + +## 0.8.4 + +- Fix falcosidekick chart ignoring custom service type for webui redis + +## 0.8.3 + +- Add a condition to create the secrets for the redis only if the webui is deployed + ## 0.8.2 - Fix redis-availability check of the UI init-container in case externalRedis is enabled ## 0.8.1 -- allow to set resources, securityContext and image overwrite for wait-redis initContainer +- Allow to set resources, securityContext and image overwrite for wait-redis initContainer ## 0.8.0 -- ugrade to Falcosidekick 2.29.0 -- allow to set custom labels and annotations to set to all resources -- allow to use an existing secrets and values for the env vars at the same time -- fix missing ingressClassName settings in the values.yaml -- add of an initContainer to check if the redis for falcosidekick-ui is up +- Ugrade to Falcosidekick 2.29.0 +- Allow to set custom labels and annotations to set to all resources +- Allow to use an existing secrets and values for the env vars at the same time +- Fix missing ingressClassName settings in the values.yaml +- Add of an initContainer to check if the redis for falcosidekick-ui is up ## 0.7.22 -- upgrade redis-stack image to 7.2.0-v11 +- Upgrade redis-stack image to 7.2.0-v11 ## 0.7.21 diff --git a/helm/falco/charts/falcosidekick/Chart.yaml b/helm/falco/charts/falcosidekick/Chart.yaml index 4621acbb..bb388551 100644 --- a/helm/falco/charts/falcosidekick/Chart.yaml +++ b/helm/falco/charts/falcosidekick/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v1 -appVersion: 2.29.0 +appVersion: 2.30.0 description: Connect Falco to your ecosystem icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png name: falcosidekick -version: 0.8.2 +version: 0.9.5 keywords: - monitoring - security diff --git a/helm/falco/charts/falcosidekick/README.md b/helm/falco/charts/falcosidekick/README.md index 9995cffb..4832623e 100644 --- a/helm/falco/charts/falcosidekick/README.md +++ b/helm/falco/charts/falcosidekick/README.md @@ -181,7 +181,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.alertmanager.expireafter | string | `""` | if set to a non-zero value, alert expires after that time in seconds (default: 0) | | config.alertmanager.extraannotations | string | `""` | comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2 | | config.alertmanager.extralabels | string | `""` | comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2 | -| config.alertmanager.hostport | string | `""` | AlertManager , if not `empty`, AlertManager is *enabled* | +| config.alertmanager.hostport | string | `""` | Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is enabled | | config.alertmanager.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.alertmanager.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | | config.aws.accesskeyid | string | `""` | AWS Access Key Id (optionnal if you use EC2 Instance Profile) | @@ -236,6 +236,10 @@ The following table lists the main configurable parameters of the Falcosidekick | config.datadog.apikey | string | `""` | Datadog API Key, if not `empty`, Datadog output is *enabled* | | config.datadog.host | string | `""` | Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" | | config.datadog.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.datadoglogs.apikey | string | `""` | Datadog API Key, if not empty, Datadog Logs output is enabled | +| config.datadoglogs.host | string | `""` | Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/" | +| config.datadoglogs.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) | +| config.datadoglogs.service | string | `""` | The name of the application or service generating the log events. | | config.debug | bool | `false` | DEBUG environment variable | | config.discord.icon | string | `""` | Discord icon (avatar) | | config.discord.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | @@ -247,20 +251,28 @@ The following table lists the main configurable parameters of the Falcosidekick | config.dynatrace.apiurl | string | `""` | Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge | | config.dynatrace.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.dynatrace.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | +| config.elasticsearch.apikey | string | `""` | Use this APIKey to authenticate to Elasticsearch if the APIKey is not empty (default: "") | +| config.elasticsearch.batching | object | `{"batchsize":"5242880","enabled":true,"flushinterval":"1s"}` | batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API | +| config.elasticsearch.batching.batchsize | string | `"5242880"` | batch size in bytes (default: 5 MB) (use string to avoid the conversion into float64 by helm) | +| config.elasticsearch.batching.enabled | bool | `true` | if true enables batching | +| config.elasticsearch.batching.flushinterval | string | `"1s"` | batch fush interval (default: 1s) | | config.elasticsearch.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.elasticsearch.createindextemplate | bool | `false` | Create an index template (default: false) | | config.elasticsearch.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.elasticsearch.enablecompression | bool | `false` | if true enables gzip compression for http requests (default: false) | | config.elasticsearch.flattenfields | bool | `false` | Replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false) | | config.elasticsearch.hostport | string | `""` | Elasticsearch , if not `empty`, Elasticsearch is *enabled* | | config.elasticsearch.index | string | `"falco"` | Elasticsearch index | +| config.elasticsearch.maxconcurrentrequests | int | `1` | max number of concurrent http requests (default: 1) | | config.elasticsearch.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.elasticsearch.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | | config.elasticsearch.numberofreplicas | int | `3` | Number of replicas set by the index template (default: 3) | | config.elasticsearch.numberofshards | int | `3` | Number of shards set by the index template (default: 3) | -| config.elasticsearch.password | string | `""` | use this password to authenticate to Elasticsearch if the password is not empty | -| config.elasticsearch.suffix | string | `"daily"` | | +| config.elasticsearch.password | string | `""` | Use this password to authenticate to Elasticsearch if the password is not empty | +| config.elasticsearch.pipeline | string | `""` | Optional ingest pipeline name | +| config.elasticsearch.suffix | string | `"daily"` | Date suffix for index rotation : daily, monthly, annually, none | | config.elasticsearch.type | string | `"_doc"` | Elasticsearch document type | -| config.elasticsearch.username | string | `""` | use this username to authenticate to Elasticsearch if the username is not empty | +| config.elasticsearch.username | string | `""` | Use this username to authenticate to Elasticsearch if the username is not empty | | config.existingSecret | string | `""` | Existing secret with configuration | | config.extraArgs | list | `[]` | Extra command-line arguments | | config.extraEnv | list | `[]` | Extra environment variables | @@ -346,6 +358,12 @@ The following table lists the main configurable parameters of the Falcosidekick | config.loki.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | | config.loki.endpoint | string | `"/loki/api/v1/push"` | Loki endpoint URL path, more info: | | config.loki.extralabels | string | `""` | comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields | +| config.loki.grafanaDashboard | object | `{"configMap":{"folder":"","name":"falcosidekick-loki-dashboard-grafana","namespace":""},"enabled":true}` | dashboard for Grafana | +| config.loki.grafanaDashboard.configMap | object | `{"folder":"","name":"falcosidekick-loki-dashboard-grafana","namespace":""}` | configmaps to be deployed that contain a grafana dashboard. | +| config.loki.grafanaDashboard.configMap.folder | string | `""` | folder where the dashboard is stored by grafana. | +| config.loki.grafanaDashboard.configMap.name | string | `"falcosidekick-loki-dashboard-grafana"` | name specifies the name for the configmap. | +| config.loki.grafanaDashboard.configMap.namespace | string | `""` | namespace specifies the namespace for the configmap. | +| config.loki.grafanaDashboard.enabled | bool | `true` | enabled specifies whether this dashboard should be deployed. | | config.loki.hostport | string | `""` | Loki , if not `empty`, Loki is *enabled* | | config.loki.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.loki.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | @@ -411,6 +429,14 @@ The following table lists the main configurable parameters of the Falcosidekick | config.opsgenie.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.opsgenie.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | | config.opsgenie.region | `us` or `eu` | `""` | region of your domain | +| config.otlp.metrics.checkcert | bool | `true` | Set to false if you want to skip TLS certificate validation (only with https) (default: true) | +| config.otlp.metrics.endpoint | string | `""` | OTLP endpoint, typically in the form http{s}://{domain or ip}:4318/v1/metrics | +| config.otlp.metrics.extraattributes | string | `""` | Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields | +| config.otlp.metrics.extraenvvars | list | `[]` | Extra env vars (override the other settings) (default: "") | +| config.otlp.metrics.headers | string | `""` | List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "") | +| config.otlp.metrics.minimumpriority | string | `""` | Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "") | +| config.otlp.metrics.protocol | string | `"grpc"` | OTLP transport protocol to be used for metrics data; it can be "grpc" or "http/protobuf" (default: "grpc") | +| config.otlp.metrics.timeout | int | `1000` | OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000) | | config.otlp.traces.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.otlp.traces.duration | int | `1000` | Artificial span duration in milliseconds (default: 1000) | | config.otlp.traces.endpoint | string | `""` | OTLP endpoint in the form of http://{domain or ip}:4318/v1/traces, if not empty, OTLP Traces output is enabled | @@ -419,7 +445,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.otlp.traces.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | | config.otlp.traces.protocol | string | `""` | OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json) | | config.otlp.traces.synced | bool | `false` | Set to true if you want traces to be sent synchronously (default: false) | -| config.otlp.traces.timeout | string | `""` | OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000) | +| config.otlp.traces.timeout | int | `1000` | OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000) | | config.outputFieldFormat | string | `""` | | | config.pagerduty.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.pagerduty.region | string | `"us"` | Pagerduty Region, can be 'us' or 'eu' | @@ -513,6 +539,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.tekton.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.telegram.chatid | string | `""` | telegram Identifier of the shared chat | | config.telegram.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.telegram.messagethreadid | string | `""` | Telegram individual chats within the group | | config.telegram.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | | config.telegram.token | string | `""` | telegram bot authentication token | | config.templatedfields | string | `""` | a list of escaped comma separated Go templated fields to add to falco events, syntax is "key:template\,key:template" | @@ -523,7 +550,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.timescaledb.password | string | `"postgres"` | Password to authenticate with TimescaleDB | | config.timescaledb.port | int | `5432` | TimescaleDB port (default: 5432) | | config.timescaledb.user | string | `"postgres"` | Username to authenticate with TimescaleDB | -| config.tlsclient.cacertfile | string | `"/etc/certs/client/ca.crt"` | CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty | +| config.tlsclient.cacertfile | string | `""` | CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty | | config.tlsserver.cacertfile | string | `"/etc/certs/server/ca.crt"` | CA certification file path for client certification if mutualtls is true | | config.tlsserver.cacrt | string | `""` | | | config.tlsserver.certfile | string | `"/etc/certs/server/server.crt"` | server certification file path for TLS Server | @@ -543,6 +570,8 @@ The following table lists the main configurable parameters of the Falcosidekick | config.wavefront.flushintervalseconds | int | `1` | Wavefront flush interval in seconds. Defaults to 1 | | config.wavefront.metricname | string | `"falco.alert"` | Metric to be created in Wavefront. Defaults to falco.alert | | config.wavefront.minimumpriority | string | `"debug"` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.webex.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.webex.webhookurl | string | `""` | Webex WebhookURL, if not empty, Webex output is enabled | | config.webhook.address | string | `""` | Webhook address, if not empty, Webhook output is *enabled* | | config.webhook.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.webhook.customHeaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value\,key:value" | @@ -570,11 +599,19 @@ The following table lists the main configurable parameters of the Falcosidekick | extraVolumeMounts | list | `[]` | Extra volume mounts for sidekick deployment | | extraVolumes | list | `[]` | Extra volumes for sidekick deployment | | fullnameOverride | string | `""` | Override the name | -| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falcosidekick","tag":"2.29.0"}` | number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 | +| grafana | object | `{"dashboards":{"configMaps":{"falcosidekick":{"folder":"","name":"falcosidekick-grafana-dashboard","namespace":""}},"enabled":false}}` | grafana contains the configuration related to grafana. | +| grafana.dashboards | object | `{"configMaps":{"falcosidekick":{"folder":"","name":"falcosidekick-grafana-dashboard","namespace":""}},"enabled":false}` | dashboards contains configuration for grafana dashboards. | +| grafana.dashboards.configMaps | object | `{"falcosidekick":{"folder":"","name":"falcosidekick-grafana-dashboard","namespace":""}}` | configmaps to be deployed that contain a grafana dashboard. | +| grafana.dashboards.configMaps.falcosidekick | object | `{"folder":"","name":"falcosidekick-grafana-dashboard","namespace":""}` | falcosidekick contains the configuration for falcosidekick's dashboard. | +| grafana.dashboards.configMaps.falcosidekick.folder | string | `""` | folder where the dashboard is stored by grafana. | +| grafana.dashboards.configMaps.falcosidekick.name | string | `"falcosidekick-grafana-dashboard"` | name specifies the name for the configmap. | +| grafana.dashboards.configMaps.falcosidekick.namespace | string | `""` | namespace specifies the namespace for the configmap. | +| grafana.dashboards.enabled | bool | `false` | enabled specifies whether the dashboards should be deployed. | +| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falcosidekick","tag":"2.30.0"}` | number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 | | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"docker.io"` | The image registry to pull from | | image.repository | string | `"falcosecurity/falcosidekick"` | The image repository to pull from | -| image.tag | string | `"2.29.0"` | The image tag to pull | +| image.tag | string | `"2.30.0"` | The image tag to pull | | imagePullSecrets | list | `[]` | Secrets for the registry | | ingress.annotations | object | `{}` | Ingress annotations | | ingress.enabled | bool | `false` | Whether to create the ingress | @@ -612,7 +649,7 @@ The following table lists the main configurable parameters of the Falcosidekick | replicaCount | int | `2` | number of running pods | | resources | object | `{}` | The resources for falcosdekick pods | | securityContext | object | `{}` | Sidekick container securityContext | -| service.annotations | object | `{}` | Service annotations | +| service.annotations | object | `{"prometheus.io/scrape":"true"}` | Service annotations | | service.port | int | `2801` | Service port | | service.type | string | `"ClusterIP"` | Service type | | serviceMonitor.additionalLabels | object | `{}` | specify Additional labels to be added on the Service Monitor. | @@ -630,6 +667,7 @@ The following table lists the main configurable parameters of the Falcosidekick | webui.enabled | bool | `false` | enable Falcosidekick-UI | | webui.existingSecret | string | `""` | Existing secret with configuration | | webui.externalRedis.enabled | bool | `false` | Enable or disable the usage of an external Redis. Is mutually exclusive with webui.redis.enabled. | +| webui.externalRedis.password | string | `""` | Set the password of the external Redis | | webui.externalRedis.port | int | `6379` | The port of the external Redis database with RediSearch > v2 | | webui.externalRedis.url | string | `""` | The URL of the external Redis database with RediSearch > v2 | | webui.image.pullPolicy | string | `"IfNotPresent"` | The web UI image pull policy | @@ -641,10 +679,10 @@ The following table lists the main configurable parameters of the Falcosidekick | webui.ingress.hosts | list | `[{"host":"falcosidekick-ui.local","paths":[{"path":"/"}]}]` | Web UI ingress hosts configuration | | webui.ingress.ingressClassName | string | `""` | ingress class name | | webui.ingress.tls | list | `[]` | Web UI ingress TLS configuration | -| webui.initContainer | object | `{"image":{"registry":"docker.io","repository":"busybox","tag":1.31},"resources":{},"securityContext":{}}` | Web UI wait-redis initContainer | +| webui.initContainer | object | `{"image":{"registry":"docker.io","repository":"redis/redis-stack","tag":"7.2.0-v11"},"resources":{},"securityContext":{}}` | Web UI wait-redis initContainer | | webui.initContainer.image.registry | string | `"docker.io"` | wait-redis initContainer image registry to pull from | -| webui.initContainer.image.repository | string | `"busybox"` | wait-redis initContainer image repository to pull from | -| webui.initContainer.image.tag | float | `1.31` | wait-redis initContainer image tag to pull | +| webui.initContainer.image.repository | string | `"redis/redis-stack"` | wait-redis initContainer image repository to pull from | +| webui.initContainer.image.tag | string | `"7.2.0-v11"` | wait-redis initContainer image tag to pull | | webui.initContainer.resources | object | `{}` | wait-redis initContainer resources | | webui.initContainer.securityContext | object | `{}` | wait-redis initContainer securityContext | | webui.loglevel | string | `"info"` | Log level ("debug", "info", "warning", "error") | @@ -655,6 +693,7 @@ The following table lists the main configurable parameters of the Falcosidekick | webui.priorityClassName | string | `""` | Name of the priority class to be used by the Web UI pods, priority class needs to be created beforehand | | webui.redis.affinity | object | `{}` | Affinity for the Web UI Redis pods | | webui.redis.customAnnotations | object | `{}` | custom annotations to add to all resources | +| webui.redis.customConfig | object | `{}` | List of Custom config overrides for Redis | | webui.redis.customLabels | object | `{}` | custom labels to add to all resources | | webui.redis.enabled | bool | `true` | Is mutually exclusive with webui.externalRedis.enabled | | webui.redis.existingSecret | string | `""` | Existing secret with configuration | diff --git a/helm/falco/charts/falcosidekick/dashboards/falcosidekick-grafana-dashboard.json b/helm/falco/charts/falcosidekick/dashboards/falcosidekick-grafana-dashboard.json new file mode 100644 index 00000000..909c188d --- /dev/null +++ b/helm/falco/charts/falcosidekick/dashboards/falcosidekick-grafana-dashboard.json @@ -0,0 +1,1696 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "id": 46, + "links": [], + "panels": [ + { + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 27, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "**Priority**: Debug `1` - Informationel `2` - Notice `3` - Warning `4` - Error `5` - Critical `6` - Alert `7` - Emergency `8`\n", + "mode": "markdown" + }, + "pluginVersion": "11.5.0-80207", + "title": "Help", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 7, + "panels": [], + "title": "Events", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 9, + "x": 0, + "y": 4 + }, + "id": 1, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(rule) (increase(falcosecurity_falcosidekick_falco_events_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{rule_name}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Rules", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 9, + "y": 4 + }, + "id": 2, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(source) (increase(falcosecurity_falcosidekick_falco_events_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": false, + "instant": false, + "legendFormat": "{{source}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Sources", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "fieldMinMax": false, + "mappings": [], + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "critical" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "notice" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "warning" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 7, + "x": 17, + "y": 4 + }, + "id": 3, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(priority) (increase(falcosecurity_falcosidekick_falco_events_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{priority}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Priorities", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 14, + "w": 12, + "x": 0, + "y": 13 + }, + "id": 5, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(priority) (increase(falcosecurity_falcosidekick_falco_events_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Priority over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 14, + "w": 12, + "x": 12, + "y": 13 + }, + "id": 18, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(source) (increase(falcosecurity_falcosidekick_falco_events_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Source over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 15, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 19, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Last *", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(rule) (increase(falcosecurity_falcosidekick_falco_events_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Rule over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 42 + }, + "id": 8, + "panels": [], + "title": "Outputs", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 13, + "w": 24, + "x": 0, + "y": 43 + }, + "id": 28, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(destination) (increase(falcosecurity_falcosidekick_outputs_total{status=~\"$status\", destination=~\"$output\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Output over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ok" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "green", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 14, + "w": 9, + "x": 0, + "y": 56 + }, + "id": 29, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(status) (increase(falcosecurity_falcosidekick_outputs_total{status=~\"$status\", destination=~\"$output\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Status over time", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "percent" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ok" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "green", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 14, + "w": 8, + "x": 9, + "y": 56 + }, + "id": 30, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(status) (increase(falcosecurity_falcosidekick_outputs_total{status=~\"$status\", destination=~\"$output\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by % Status over time", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ok" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "green", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 14, + "w": 7, + "x": 17, + "y": 56 + }, + "id": 31, + "options": { + "displayLabels": [ + "name", + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.5.0-80207", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum by(status) (increase(falcosecurity_falcosidekick_outputs_total{status=~\"$status\", destination=~\"$output\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Status", + "type": "piechart" + } + ], + "preload": false, + "refresh": "", + "schemaVersion": 40, + "tags": [], + "templating": { + "list": [ + { + "allowCustomValue": true, + "current": { + "text": "grafanacloud-issif-prom", + "value": "grafanacloud-prom" + }, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "type": "datasource" + }, + { + "allowCustomValue": true, + "current": { + "text": "All", + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falcosidekick_falco_events_total,namespace)", + "includeAll": true, + "multi": true, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falcosidekick_falco_events_total,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "type": "query" + }, + { + "allowCustomValue": true, + "current": { + "text": "All", + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falcosidekick_falco_events_total{namespace=~\"$namespace\"},pod)", + "includeAll": true, + "multi": true, + "name": "pod", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falcosidekick_falco_events_total{namespace=~\"$namespace\"},pod)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "type": "query" + }, + { + "allowCustomValue": true, + "current": { + "text": "All", + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falcosidekick_falco_events_total{namespace=~\"$namespace\", pod=~\"$pod\"},source)", + "includeAll": true, + "label": "source", + "multi": true, + "name": "source", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falcosidekick_falco_events_total{namespace=~\"$namespace\", pod=~\"$pod\"},source)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 1, + "type": "query" + }, + { + "allowCustomValue": true, + "current": { + "text": "All", + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falcosidekick_falco_events_total{namespace=~\"$namespace\", source=~\"$source\"},priority)", + "includeAll": true, + "label": "priority", + "multi": true, + "name": "priority", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falcosidekick_falco_events_total{namespace=~\"$namespace\", source=~\"$source\"},priority)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 4, + "type": "query" + }, + { + "allowCustomValue": true, + "current": { + "text": "All", + "value": [ + "$__all" + ] + }, + "definition": "label_values(falcosecurity_falcosidekick_outputs_total,status)", + "includeAll": true, + "label": "output status", + "multi": true, + "name": "status", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falcosidekick_outputs_total,status)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "type": "query" + }, + { + "allowCustomValue": true, + "current": { + "text": "All", + "value": [ + "$__all" + ] + }, + "definition": "label_values(falcosecurity_falcosidekick_outputs_total{status=~\"$status\"},destination)", + "includeAll": true, + "multi": true, + "name": "output", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falcosidekick_outputs_total{status=~\"$status\"},destination)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "browser", + "title": "Falcosidekick", + "uid": "ee5tmd33lk3k0a", + "version": 14, + "weekStart": "" +} \ No newline at end of file diff --git a/helm/falco/charts/falcosidekick/dashboards/falcosidekick-loki-dashboard.json b/helm/falco/charts/falcosidekick/dashboards/falcosidekick-loki-dashboard.json new file mode 100644 index 00000000..0f6e5002 --- /dev/null +++ b/helm/falco/charts/falcosidekick/dashboards/falcosidekick-loki-dashboard.json @@ -0,0 +1,640 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "datasource": { + "default": false, + "type": "loki", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 1, + "options": { + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "count by(priority) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` [$__auto]))", + "legendFormat": "{{priority}}", + "queryType": "range", + "refId": "A" + } + ], + "title": "Priority counts", + "type": "piechart" + }, + { + "datasource": { + "default": false, + "type": "loki", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 2, + "options": { + "displayLabels": [ + "value", + "percent" + ], + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "count by(rule) (rate({priority=~\".+\", rule!=\"Falco internal: metrics snapshot\"} | logfmt | k8s_ns =~ `$namespace` [$__auto]))", + "legendFormat": "{{priority}}", + "queryType": "range", + "refId": "A" + } + ], + "title": "Rules counts", + "type": "piechart" + }, + { + "datasource": { + "default": false, + "type": "loki", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "left", + "cellOptions": { + "type": "auto", + "wrapText": false + }, + "filterable": true, + "inspect": false + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "Number of Messages" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Time" + }, + "properties": [ + { + "id": "custom.hidden", + "value": true + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "k8s_ns" + }, + "properties": [ + { + "id": "custom.width", + "value": 96 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "priority" + }, + "properties": [ + { + "id": "custom.width", + "value": 91 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "rule" + }, + "properties": [ + { + "id": "custom.width", + "value": 450 + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 24, + "x": 0, + "y": 8 + }, + "id": 5, + "options": { + "cellHeight": "sm", + "footer": { + "countRows": false, + "enablePagination": false, + "fields": "", + "reducer": [ + "last" + ], + "show": false + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${datasource}" + }, + "editorMode": "builder", + "expr": "count by(k8s_pod_name, rule, priority, k8s_ns) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` [$__auto]))", + "legendFormat": "", + "queryType": "instant", + "refId": "A" + } + ], + "transformations": [ + { + "id": "sortBy", + "options": { + "fields": {}, + "sort": [ + { + "desc": true, + "field": "Value #A" + } + ] + } + } + ], + "type": "table" + }, + { + "datasource": { + "default": false, + "type": "loki", + "uid": "${datasource}" + }, + "gridPos": { + "h": 7, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 6, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": false, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${datasource}" + }, + "direction": "backward", + "editorMode": "builder", + "expr": "{priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace`", + "queryType": "range", + "refId": "A" + } + ], + "title": "Realtime logs", + "type": "logs" + }, + { + "datasource": { + "default": false, + "type": "loki", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "stepBefore", + "lineStyle": { + "fill": "solid" + }, + "lineWidth": 1, + "pointSize": 4, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 23 + }, + "id": 7, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "loki" + }, + "editorMode": "builder", + "expr": "count by(priority) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` [1m]))", + "legendFormat": "{{priority}}", + "queryType": "range", + "refId": "A" + } + ], + "title": "Priorities Rates", + "type": "timeseries" + }, + { + "datasource": { + "default": false, + "type": "loki", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "stepBefore", + "lineStyle": { + "fill": "solid" + }, + "lineWidth": 1, + "pointSize": 4, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 23 + }, + "id": 8, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "loki" + }, + "editorMode": "builder", + "expr": "count by(rule) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` [1m]))", + "legendFormat": "{{priority}}", + "queryType": "range", + "refId": "A" + } + ], + "title": "Rules Rates", + "type": "timeseries" + } + ], + "refresh": "auto", + "schemaVersion": 39, + "tags": [], + "templating": { + "list": [ + { + "allValue": "", + "current": { + "selected": true, + "text": [ + "arr", + "core", + "falco", + "kube-system", + "media", + "monitoring", + "storage", + "utilities", + "webs" + ], + "value": [ + "arr", + "core", + "falco", + "kube-system", + "media", + "monitoring", + "storage", + "utilities", + "webs" + ] + }, + "datasource": { + "type": "loki", + "uid": "${datasource}" + }, + "definition": "", + "description": "", + "hide": 0, + "includeAll": false, + "label": "namespace", + "multi": true, + "name": "namespace", + "options": [], + "query": { + "label": "namespace", + "refId": "LokiVariableQueryEditor-VariableQuery", + "stream": "", + "type": 1 + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": true, + "text": "Loki", + "value": "loki" + }, + "hide": 0, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "datasource", + "options": [], + "query": "loki", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-30m", + "to": "now" + }, + "timepicker": {}, + "timezone": "browser", + "title": "Falco logs", + "uid": "de6ixj4nl1kowc", + "version": 3, + "weekStart": "" +} \ No newline at end of file diff --git a/helm/falco/charts/falcosidekick/templates/configmap-grafana-dashboard.yaml b/helm/falco/charts/falcosidekick/templates/configmap-grafana-dashboard.yaml new file mode 100644 index 00000000..99e32a22 --- /dev/null +++ b/helm/falco/charts/falcosidekick/templates/configmap-grafana-dashboard.yaml @@ -0,0 +1,28 @@ +{{- if .Values.grafana.dashboards.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.grafana.dashboards.configMaps.falcosidekick.name }} + {{ if .Values.grafana.dashboards.configMaps.falcosidekick.namespace }} + namespace: {{ .Values.grafana.dashboards.configMaps.falcosidekick.namespace }} + {{- else -}} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + grafana_dashboard: "1" + {{- with .Values.customLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.grafana.dashboards.configMaps.falcosidekick.folder }} + k8s-sidecar-target-directory: /tmp/dashboards/{{ .Values.grafana.dashboards.configMaps.falcosidekick.folder}} + grafana_dashboard_folder: {{ .Values.grafana.dashboards.configMaps.falcosidekick.folder }} + {{- end }} + {{- with .Values.customAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: + falco-dashboard.json: |- + {{- .Files.Get "dashboards/falcosidekick-grafana-dashboard.json" | nindent 4 }} + {{- end -}} diff --git a/helm/falco/charts/falcosidekick/templates/configmap-ui.yaml b/helm/falco/charts/falcosidekick/templates/configmap-ui.yaml new file mode 100644 index 00000000..72d84840 --- /dev/null +++ b/helm/falco/charts/falcosidekick/templates/configmap-ui.yaml @@ -0,0 +1,46 @@ +{{- if and (.Values.webui.enabled) (.Values.webui.redis.enabled) -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui-redis +data: + {{- if .Values.webui.redis.customConfig }} + redis-stack.conf: |- + {{ range .Values.webui.redis.customConfig }} + {{- . }} + {{ end -}} + {{- end }} + ping-redis.sh: |- + #!/bin/bash + for i in {1..10}; + do + response=$( + timeout -s 3 30 \ + redis-cli \ + {{- if .Values.webui.redis.enabled }} + -h {{ include "falcosidekick.fullname" . }}-ui-redis -p 6379 \ + {{- if .Values.webui.redis.password }} + -a ${REDIS_PASSWORD} \ + {{- end }} + {{- end }} + {{- if .Values.webui.externalRedis.enabled }} + -h {{ .Values.webui.externalRedis.url }} \ + -p {{ .Values.webui.externalRedis.port }} \ + {{- if .Values.webui.externalRedis.password }} + -a ${REDIS_PASSWORD} \ + {{- end }} + {{- end }} + ping + ) + if [ "$response" = "PONG" ]; then + exit 0 + fi + sleep 3 + done + exit 1 +{{- end }} diff --git a/helm/falco/charts/falcosidekick/templates/deployment-ui.yaml b/helm/falco/charts/falcosidekick/templates/deployment-ui.yaml index 705e823c..2ffccbc2 100644 --- a/helm/falco/charts/falcosidekick/templates/deployment-ui.yaml +++ b/helm/falco/charts/falcosidekick/templates/deployment-ui.yaml @@ -59,11 +59,10 @@ spec: initContainers: - name: wait-redis image: "{{ .Values.webui.initContainer.image.registry }}/{{ .Values.webui.initContainer.image.repository }}:{{ .Values.webui.initContainer.image.tag }}" - {{- if .Values.webui.redis.enabled }} - command: ['sh', '-c', 'echo -e "Checking for the availability of the Redis Server"; while ! nc -z {{ include "falcosidekick.fullname" . }}-ui-redis 6379; do sleep 1; done; echo -e "Redis Server has started";'] - {{- else if .Values.webui.externalRedis.enabled }} - command: ['sh', '-c', 'echo -e "Checking for the availability of the Redis Server"; while ! nc -z {{ required "External Redis is enabled. Please set the URL to the database." .Values.webui.externalRedis.url }} {{ .Values.webui.externalRedis.port | default "6379" }}; do sleep 1; done; echo -e "Redis Server has started";'] - {{- end}} + command: + - sh + - -c + - /scripts/ping-redis.sh {{- if .Values.webui.initContainer.resources }} resources: {{- toYaml .Values.webui.initContainer.resources | nindent 12 }} @@ -72,6 +71,17 @@ spec: securityContext: {{- toYaml .Values.webui.initContainer.securityContext | nindent 12}} {{- end }} + volumeMounts: + - name: scripts + mountPath: /scripts/ping-redis.sh + subPath: ping-redis.sh + envFrom: + - secretRef: + name: {{ include "falcosidekick.fullname" . }}-ui + {{- if .Values.webui.existingSecret }} + - secretRef: + name: {{ .Values.webui.existingSecret }} + {{- end }} containers: - name: {{ .Chart.Name }}-ui image: "{{ .Values.webui.image.registry }}/{{ .Values.webui.image.repository }}:{{ .Values.webui.image.tag }}" @@ -138,6 +148,14 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + - name: scripts + configMap: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + defaultMode: 0555 + items: + - key: ping-redis.sh + path: ping-redis.sh {{- if .Values.webui.redis.enabled }} --- apiVersion: apps/v1 @@ -220,11 +238,18 @@ spec: securityContext: {{- toYaml .Values.webui.redis.securityContext | nindent 12 }} {{- end }} - {{- if .Values.webui.redis.storageEnabled }} + {{- if or (.Values.webui.redis.storageEnabled) (.Values.webui.redis.customConfig) }} volumeMounts: + {{- if .Values.webui.redis.storageEnabled }} - name: {{ include "falcosidekick.fullname" . }}-ui-redis-data mountPath: /data {{- end }} + {{- if .Values.webui.redis.customConfig }} + - name: config + mountPath: /redis-stack.conf + subPath: redis-stack.conf + {{- end }} + {{- end }} resources: {{- toYaml .Values.webui.redis.resources | nindent 12 }} {{- with .Values.webui.redis.nodeSelector }} @@ -239,6 +264,16 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{ if .Values.webui.redis.customConfig }} + volumes: + - name: config + configMap: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + defaultMode: 0444 + items: + - key: redis-stack.conf + path: redis-stack.conf + {{ end }} {{- if .Values.webui.redis.storageEnabled }} volumeClaimTemplates: - metadata: diff --git a/helm/falco/charts/falcosidekick/templates/falcosidekick-loki-dashboard-grafana.yaml b/helm/falco/charts/falcosidekick/templates/falcosidekick-loki-dashboard-grafana.yaml new file mode 100644 index 00000000..4db81c57 --- /dev/null +++ b/helm/falco/charts/falcosidekick/templates/falcosidekick-loki-dashboard-grafana.yaml @@ -0,0 +1,22 @@ +{{- if .Values.config.loki.grafanaDashboard.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.config.loki.grafanaDashboard.configMap.name }} + {{ if .Values.config.loki.grafanaDashboard.configMap.namespace }} + namespace: {{ .Values.config.loki.grafanaDashboard.configMap.namespace }} + {{- else -}} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + grafana_dashboard: "1" + {{- if .Values.config.loki.grafanaDashboard.configMap.folder }} + annotations: + k8s-sidecar-target-directory: /tmp/dashboards/{{ .Values.config.loki.grafanaDashboard.configMap.folder}} + grafana_dashboard_folder: {{ .Values.config.loki.grafanaDashboard.configMap.folder }} + {{- end }} +data: + falcosidekick-loki-dashboard.json: |- + {{- .Files.Get "dashboards/falcosidekick-loki-dashboard.json" | nindent 4 }} + {{- end -}} diff --git a/helm/falco/charts/falcosidekick/templates/prometheusrule.yaml b/helm/falco/charts/falcosidekick/templates/prometheusrule.yaml index 6afe287a..d2ea41ee 100644 --- a/helm/falco/charts/falcosidekick/templates/prometheusrule.yaml +++ b/helm/falco/charts/falcosidekick/templates/prometheusrule.yaml @@ -38,7 +38,7 @@ spec: annotations: summary: Falco is experiencing high rate of warning events description: A high rate of warning events are being detected by Falco - expr: rate(falco_events{priority="4"}[{{ .Values.prometheusRules.alerts.warning.rate_interval }}]) > {{ .Values.prometheusRules.alerts.warning.threshold }} + expr: rate(falcosecurity_falcosidekick_falco_events_total{priority_raw="warning"}[{{ .Values.prometheusRules.alerts.warning.rate_interval }}]) > {{ .Values.prometheusRules.alerts.warning.threshold }} for: 15m labels: severity: warning @@ -48,7 +48,7 @@ spec: annotations: summary: Falco is experiencing high rate of error events description: A high rate of error events are being detected by Falco - expr: rate(falco_events{priority="3"}[{{ .Values.prometheusRules.alerts.error.rate_interval }}]) > {{ .Values.prometheusRules.alerts.error.threshold }} + expr: rate(falcosecurity_falcosidekick_falco_events_total{priority_raw="error"}[{{ .Values.prometheusRules.alerts.error.rate_interval }}]) > {{ .Values.prometheusRules.alerts.error.threshold }} for: 15m labels: severity: warning @@ -58,7 +58,7 @@ spec: annotations: summary: Falco is experiencing high rate of critical events description: A high rate of critical events are being detected by Falco - expr: rate(falco_events{priority="2"}[{{ .Values.prometheusRules.alerts.critical.rate_interval }}]) > {{ .Values.prometheusRules.alerts.critical.threshold }} + expr: rate(falcosecurity_falcosidekick_falco_events_total{priority_raw="critical"}[{{ .Values.prometheusRules.alerts.critical.rate_interval }}]) > {{ .Values.prometheusRules.alerts.critical.threshold }} for: 15m labels: severity: critical @@ -68,7 +68,7 @@ spec: annotations: summary: Falco is experiencing high rate of alert events description: A high rate of alert events are being detected by Falco - expr: rate(falco_events{priority="1"}[{{ .Values.prometheusRules.alerts.alert.rate_interval }}]) > {{ .Values.prometheusRules.alerts.alert.threshold }} + expr: rate(falcosecurity_falcosidekick_falco_events_total{priority_raw="alert"}[{{ .Values.prometheusRules.alerts.alert.rate_interval }}]) > {{ .Values.prometheusRules.alerts.alert.threshold }} for: 5m labels: severity: critical @@ -78,7 +78,7 @@ spec: annotations: summary: Falco is experiencing high rate of emergency events description: A high rate of emergency events are being detected by Falco - expr: rate(falco_events{priority="0"}[{{ .Values.prometheusRules.alerts.emergency.rate_interval }}]) > {{ .Values.prometheusRules.alerts.emergency.threshold }} + expr: rate(falcosecurity_falcosidekick_falco_events_total{priority_raw="emergency"}[{{ .Values.prometheusRules.alerts.emergency.rate_interval }}]) > {{ .Values.prometheusRules.alerts.emergency.threshold }} for: 1m labels: severity: critical @@ -88,7 +88,7 @@ spec: annotations: summary: Falcosidekick is experiencing high rate of errors for an output description: A high rate of errors are being detecting for an output - expr: sum by (destination) (rate(falcosidekick_outputs{status="error"}[{{ .Values.prometheusRules.alerts.output.rate_interval }}])) > {{ .Values.prometheusRules.alerts.output.threshold }} + expr: sum by (destination) (rate(falcosecurity_falcosidekick_outputs_total{status="error"}[{{ .Values.prometheusRules.alerts.output.rate_interval }}])) > {{ .Values.prometheusRules.alerts.output.threshold }} for: 1m labels: severity: warning diff --git a/helm/falco/charts/falcosidekick/templates/secrets-ui.yaml b/helm/falco/charts/falcosidekick/templates/secrets-ui.yaml index b995745b..f201e411 100644 --- a/helm/falco/charts/falcosidekick/templates/secrets-ui.yaml +++ b/helm/falco/charts/falcosidekick/templates/secrets-ui.yaml @@ -23,7 +23,6 @@ data: {{- if .Values.webui.redis.password }} FALCOSIDEKICK_UI_REDIS_PASSWORD: "{{ .Values.webui.redis.password | b64enc}}" {{- end }} -{{- end }} {{- if eq .Values.webui.redis.existingSecret "" }} --- apiVersion: v1 @@ -43,7 +42,12 @@ metadata: {{- end }} type: Opaque data: - {{- if .Values.webui.redis.password }} + {{- if and .Values.webui.redis.enabled .Values.webui.redis.password }} REDIS_ARGS: "{{ printf "--requirepass %s" .Values.webui.redis.password | b64enc}}" + REDIS_PASSWORD: "{{ .Values.webui.redis.password | b64enc }}" + {{- end }} + {{- if and .Values.webui.externalRedis.password .Values.webui.externalRedis.password }} + REDIS_PASSWORD: "{{ .Values.webui.externalRedis.password| b64enc }}" {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/helm/falco/charts/falcosidekick/templates/secrets.yaml b/helm/falco/charts/falcosidekick/templates/secrets.yaml index 13c211f7..b82d1f32 100644 --- a/helm/falco/charts/falcosidekick/templates/secrets.yaml +++ b/helm/falco/charts/falcosidekick/templates/secrets.yaml @@ -54,11 +54,17 @@ data: TEAMS_ACTIVITYIMAGE: "{{ .Values.config.teams.activityimage | b64enc }}" TEAMS_MINIMUMPRIORITY: "{{ .Values.config.teams.minimumpriority | b64enc }}" - # Datadog Output + # Datadog (Events) Output DATADOG_APIKEY: "{{ .Values.config.datadog.apikey | b64enc }}" DATADOG_HOST: "{{ .Values.config.datadog.host | b64enc }}" DATADOG_MINIMUMPRIORITY: "{{ .Values.config.datadog.minimumpriority | b64enc }}" + # Datadog Logs Output + DATADOGLOGS_APIKEY: "{{ .Values.config.datadoglogs.apikey | b64enc }}" + DATADOGLOGS_HOST: "{{ .Values.config.datadoglogs.host | b64enc }}" + DATADOGLOGS_SERVICE: "{{ .Values.config.datadoglogs.service | b64enc }}" + DATADOGLOGS_MINIMUMPRIORITY: "{{ .Values.config.datadoglogs.minimumpriority | b64enc }}" + # AlertManager Output ALERTMANAGER_HOSTPORT: "{{ .Values.config.alertmanager.hostport | b64enc }}" ALERTMANAGER_ENDPOINT: "{{ .Values.config.alertmanager.endpoint | b64enc }}" @@ -179,17 +185,24 @@ data: ELASTICSEARCH_HOSTPORT: "{{ .Values.config.elasticsearch.hostport | b64enc }}" ELASTICSEARCH_INDEX: "{{ .Values.config.elasticsearch.index | b64enc }}" ELASTICSEARCH_TYPE: "{{ .Values.config.elasticsearch.type | b64enc }}" + ELASTICSEARCH_PIPELINE: "{{ .Values.config.elasticsearch.pipeline | b64enc }}" ELASTICSEARCH_SUFFIX: "{{ .Values.config.elasticsearch.suffix | b64enc }}" - ELASTICSEARCH_MINIMUMPRIORITY: "{{ .Values.config.elasticsearch.minimumpriority | b64enc }}" - ELASTICSEARCH_MUTUALTLS: "{{ .Values.config.elasticsearch.mutualtls | printf "%t" | b64enc }}" - ELASTICSEARCH_CHECKCERT: "{{ .Values.config.elasticsearch.checkcert | printf "%t" | b64enc }}" + ELASTICSEARCH_APIKEY: "{{ .Values.config.elasticsearch.apikey | b64enc }}" ELASTICSEARCH_USERNAME: "{{ .Values.config.elasticsearch.username | b64enc }}" ELASTICSEARCH_PASSWORD: "{{ .Values.config.elasticsearch.password | b64enc }}" ELASTICSEARCH_FLATTENFIELDS: "{{ .Values.config.elasticsearch.flattenfields | printf "%t" | b64enc }}" ELASTICSEARCH_CREATEINDEXTEMPLATE: "{{ .Values.config.elasticsearch.createindextemplate | printf "%t" | b64enc }}" + ELASTICSEARCH_ENABLECOMPRESSION: "{{ .Values.config.elasticsearch.enablecompression | printf "%t" | b64enc }}" + ELASTICSEARCH_MAXCONCURRENTREQUESTS: "{{ .Values.config.elasticsearch.maxconcurrentrequests | toString | b64enc }}" + ELASTICSEARCH_BATCHING_ENABLED: "{{ .Values.config.elasticsearch.batching.enabled | printf "%t" | b64enc }}" + ELASTICSEARCH_BATCHING_BATCHSIZE: "{{ .Values.config.elasticsearch.batching.batchsize | b64enc }}" + ELASTICSEARCH_BATCHING_FLUSHINTERVAL: "{{ .Values.config.elasticsearch.batching.flushinterval | b64enc }}" ELASTICSEARCH_NUMBEROFSHARDS: "{{ .Values.config.elasticsearch.numberofshards | toString | b64enc }}" ELASTICSEARCH_NUMBEROFREPLICAS: "{{ .Values.config.elasticsearch.numberofreplicas | toString | b64enc }}" ELASTICSEARCH_CUSTOMHEADERS: "{{ .Values.config.elasticsearch.customheaders | b64enc }}" + ELASTICSEARCH_MUTUALTLS: "{{ .Values.config.elasticsearch.mutualtls | printf "%t" | b64enc }}" + ELASTICSEARCH_CHECKCERT: "{{ .Values.config.elasticsearch.checkcert | printf "%t" | b64enc }}" + ELASTICSEARCH_MINIMUMPRIORITY: "{{ .Values.config.elasticsearch.minimumpriority | b64enc }}" # Loki Output LOKI_HOSTPORT: "{{ .Values.config.loki.hostport | b64enc }}" @@ -220,11 +233,11 @@ data: STAN_MUTUALTLS: "{{ .Values.config.stan.mutualtls | printf "%t" | b64enc }}" STAN_CHECKCERT: "{{ .Values.config.stan.checkcert | printf "%t" | b64enc }}" - # Statsd + # Statsd Output STATSD_FORWARDER: "{{ .Values.config.statsd.forwarder | b64enc }}" STATSD_NAMESPACE: "{{ .Values.config.statsd.namespace | b64enc }}" - # Dogstatsd + # Dogstatsd Output DOGSTATSD_FORWARDER: "{{ .Values.config.dogstatsd.forwarder | b64enc }}" DOGSTATSD_NAMESPACE: "{{ .Values.config.dogstatsd.namespace | b64enc }}" DOGSTATSD_TAGS: "{{ .Values.config.dogstatsd.tags | b64enc }}" @@ -270,7 +283,7 @@ data: KUBELESS_MUTUALTLS: "{{ .Values.config.kubeless.mutualtls | printf "%t" | b64enc }}" KUBELESS_CHECKCERT: "{{ .Values.config.kubeless.checkcert | printf "%t" | b64enc }}" - # OpenFaaS + # OpenFaaS Output OPENFAAS_GATEWAYNAMESPACE: "{{ .Values.config.openfaas.gatewaynamespace | b64enc }}" OPENFAAS_GATEWAYSERVICE: "{{ .Values.config.openfaas.gatewayservice | b64enc }}" OPENFAAS_FUNCTIONNAME: "{{ .Values.config.openfaas.functionname | b64enc }}" @@ -346,14 +359,14 @@ data: KAFKAREST_MUTUALTLS: "{{ .Values.config.kafkarest.mutualtls | printf "%t" | b64enc}}" KAFKAREST_CHECKCERT: "{{ .Values.config.kafkarest.checkcert | printf "%t" | b64enc}}" - # Syslog + # Syslog Output SYSLOG_HOST: "{{ .Values.config.syslog.host | b64enc}}" SYSLOG_PORT: "{{ .Values.config.syslog.port | toString | b64enc}}" SYSLOG_PROTOCOL: "{{ .Values.config.syslog.protocol | b64enc}}" SYSLOG_FORMAT: "{{ .Values.config.syslog.format | b64enc}}" SYSLOG_MINIMUMPRIORITY: "{{ .Values.config.syslog.minimumpriority | b64enc}}" - # Zoho Cliq + # Zoho Cliq Output CLIQ_WEBHOOKURL: "{{ .Values.config.cliq.webhookurl | b64enc}}" CLIQ_ICON: "{{ .Values.config.cliq.icon | b64enc}}" CLIQ_USEEMOJI: "{{ .Values.config.cliq.useemoji | printf "%t" | b64enc}}" @@ -361,14 +374,14 @@ data: CLIQ_MESSAGEFORMAT: "{{ .Values.config.cliq.messageformat | b64enc}}" CLIQ_MINIMUMPRIORITY: "{{ .Values.config.cliq.minimumpriority | b64enc}}" - # Policy Reporter + # Policy Reporter Output POLICYREPORT_ENABLED: "{{ .Values.config.policyreport.enabled | printf "%t"| b64enc}}" POLICYREPORT_KUBECONFIG: "{{ .Values.config.policyreport.kubeconfig | b64enc}}" POLICYREPORT_MAXEVENTS: "{{ .Values.config.policyreport.maxevents | toString | b64enc}}" POLICYREPORT_PRUNEBYPRIORITY: "{{ .Values.config.policyreport.prunebypriority | printf "%t" | b64enc}}" POLICYREPORT_MINIMUMPRIORITY: "{{ .Values.config.policyreport.minimumpriority | b64enc}}" - # Node Red + # Node Red Output NODERED_ADDRESS: "{{ .Values.config.nodered.address | b64enc}}" NODERED_USER: "{{ .Values.config.nodered.user | b64enc}}" NODERED_PASSWORD: "{{ .Values.config.nodered.password | b64enc}}" @@ -376,7 +389,7 @@ data: NODERED_CHECKCERT: "{{ .Values.config.nodered.checkcert | printf "%t" | b64enc}}" NODERED_MINIMUMPRIORITY: "{{ .Values.config.nodered.minimumpriority | b64enc}}" - # MQTT + # MQTT Output MQTT_BROKER: "{{ .Values.config.mqtt.broker | b64enc}}" MQTT_TOPIC: "{{ .Values.config.mqtt.topic | b64enc}}" MQTT_QOS: "{{ .Values.config.mqtt.qos | toString | b64enc}}" @@ -386,7 +399,7 @@ data: MQTT_CHECKCERT: "{{ .Values.config.mqtt.checkcert | printf "%t" | b64enc}}" MQTT_MINIMUMPRIORITY: "{{ .Values.config.mqtt.minimumpriority | b64enc}}" - # Zincsearch + # Zincsearch Output ZINCSEARCH_HOSTPORT: "{{ .Values.config.zincsearch.hostport | b64enc}}" ZINCSEARCH_INDEX: "{{ .Values.config.zincsearch.index | b64enc}}" ZINCSEARCH_USERNAME: "{{ .Values.config.zincsearch.username | b64enc}}" @@ -394,19 +407,19 @@ data: ZINCSEARCH_CHECKCERT: "{{ .Values.config.zincsearch.checkcert | printf "%t" | b64enc}}" ZINCSEARCH_MINIMUMPRIORITY: "{{ .Values.config.zincsearch.minimumpriority | b64enc}}" - # Gotify + # Gotify Output GOTIFY_HOSTPORT: "{{ .Values.config.gotify.hostport | b64enc}}" GOTIFY_TOKEN: "{{ .Values.config.gotify.token | b64enc}}" GOTIFY_FORMAT: "{{ .Values.config.gotify.format | b64enc}}" GOTIFY_CHECKCERT: "{{ .Values.config.gotify.checkcert | printf "%t" | b64enc}}" GOTIFY_MINIMUMPRIORITY: "{{ .Values.config.gotify.minimumpriority | b64enc}}" - # Tekton + # Tekton Output TEKTON_EVENTLISTENER: "{{ .Values.config.tekton.eventlistener | b64enc}}" TEKTON_CHECKCERT: "{{ .Values.config.tekton.checkcert | printf "%t" | b64enc}}" TEKTON_MINIMUMPRIORITY: "{{ .Values.config.tekton.minimumpriority | b64enc}}" - # Spyderbat + # Spyderbat Output SPYDERBAT_ORGUID: "{{ .Values.config.spyderbat.orguid | b64enc}}" SPYDERBAT_APIKEY: "{{ .Values.config.spyderbat.apikey | b64enc}}" SPYDERBAT_APIURL: "{{ .Values.config.spyderbat.apiurl | b64enc}}" @@ -414,7 +427,7 @@ data: SPYDERBAT_SOURCEDESCRIPTION: "{{ .Values.config.spyderbat.sourcedescription | b64enc}}" SPYDERBAT_MINIMUMPRIORITY: "{{ .Values.config.spyderbat.minimumpriority | b64enc}}" - # TimescaleDB + # TimescaleDB Output TIMESCALEDB_HOST: "{{ .Values.config.timescaledb.host | b64enc}}" TIMESCALEDB_PORT: "{{ .Values.config.timescaledb.port | toString | b64enc}}" TIMESCALEDB_USER: "{{ .Values.config.timescaledb.user | b64enc}}" @@ -434,6 +447,7 @@ data: # TELEGRAM Output TELEGRAM_TOKEN: "{{ .Values.config.telegram.token | b64enc}}" TELEGRAM_CHATID: "{{ .Values.config.telegram.chatid | b64enc}}" + TELEGRAM_MESSAGE_THREAD_ID: "{{ .Values.config.telegram.messagethreadid | b64enc}}" TELEGRAM_MINIMUMPRIORITY: "{{ .Values.config.telegram.minimumpriority | b64enc}}" TELEGRAM_CHECKCERT: "{{ .Values.config.telegram.checkcert | printf "%t" | b64enc}}" @@ -455,23 +469,34 @@ data: OPENOBSERVE_STREAMNAME: "{{ .Values.config.openobserve.streamname | b64enc}}" OPENOBSERVE_MINIMUMPRIORITY: "{{ .Values.config.openobserve.minimumpriority | b64enc}}" - # Dynatrace + # Dynatrace Output DYNATRACE_APITOKEN: "{{ .Values.config.dynatrace.apitoken | b64enc}}" DYNATRACE_APIURL: "{{ .Values.config.dynatrace.apiurl | b64enc}}" DYNATRACE_CHECKCERT: "{{ .Values.config.dynatrace.checkcert | printf "%t" | b64enc}}" DYNATRACE_MINIMUMPRIORITY: "{{ .Values.config.dynatrace.minimumpriority | b64enc}}" - # OTLP Traces + # OTLP Traces Output OTLP_TRACES_ENDPOINT: "{{ .Values.config.otlp.traces.endpoint | b64enc}}" - OTLP_TRACES_PROTOCOL: "{{ .Values.config.otlp.traces.endpoint | b64enc}}" + OTLP_TRACES_PROTOCOL: "{{ .Values.config.otlp.traces.protocol | b64enc}}" OTLP_TRACES_TIMEOUT: "{{ .Values.config.otlp.traces.timeout | toString | b64enc}}" OTLP_TRACES_HEADERS: "{{ .Values.config.otlp.traces.headers | b64enc}}" OTLP_TRACES_SYNCED: "{{ .Values.config.otlp.traces.synced | printf "%t" | b64enc}}" OTLP_TRACES_DURATION: "{{ .Values.config.otlp.traces.duration | toString | b64enc}}" OTLP_TRACES_CHECKCERT: "{{ .Values.config.otlp.traces.checkcert | printf "%t" | b64enc}}" OTLP_TRACES_MINIMUMPRIORITY: "{{ .Values.config.otlp.traces.minimumpriority | b64enc}}" + # OTLP Metrics Output + OTLP_METRICS_ENDPOINT: "{{ .Values.config.otlp.metrics.endpoint | b64enc}}" + OTLP_METRICS_PROTOCOL: "{{ .Values.config.otlp.metrics.protocol | b64enc}}" + OTLP_METRICS_TIMEOUT: "{{ .Values.config.otlp.metrics.timeout | toString | b64enc}}" + OTLP_METRICS_HEADERS: "{{ .Values.config.otlp.metrics.headers | b64enc}}" + OTLP_METRICS_EXTRAATTRIBUTES: "{{ .Values.config.otlp.metrics.extraattributes | b64enc}}" + {{- range $key, $value := .Values.config.otlp.metrics.extraenvvars }} + {{ $key }}: "{{ $value | b64enc }}" + {{- end }} + OTLP_METRICS_CHECKCERT: "{{ .Values.config.otlp.metrics.checkcert | printf "%t" | b64enc}}" + OTLP_METRICS_MINIMUMPRIORITY: "{{ .Values.config.otlp.metrics.minimumpriority | b64enc}}" - # Sumologic + # Sumologic Output SUMOLOGIC_RECEIVERURL: "{{ .Values.config.sumologic.receiverURL | b64enc}}" SUMOLOGIC_SOURCECATEGORY: "{{ .Values.config.sumologic.sourceCategory | b64enc}}" SUMOLOGIC_SOURCEHOST: "{{ .Values.config.sumologic.sourceHost | b64enc}}" @@ -479,7 +504,7 @@ data: SUMOLOGIC_CHECKCERT: "{{ .Values.config.sumologic.checkcert | printf "%t" | b64enc}}" SUMOLOGIC_MINIMUMPRIORITY: "{{ .Values.config.sumologic.minimumpriority | b64enc}}" - # Quickwit + # Quickwit Output QUICKWIT_HOSTPORT: "{{ .Values.config.quickwit.hostport | b64enc}}" QUICKWIT_APIENDPOINT: "{{ .Values.config.quickwit.apiendpoint | b64enc}}" QUICKWIT_INDEX: "{{ .Values.config.quickwit.index | b64enc}}" @@ -490,7 +515,11 @@ data: QUICKWIT_MUTUALTLS: "{{ .Values.config.quickwit.mutualtls | printf "%t" | b64enc}}" QUICKWIT_MINIMUMPRIORITY: "{{ .Values.config.quickwit.minimumpriority | b64enc}}" - # Talon + # Webex Output + WEBEX_WEBHOOKURL: "{{ .Values.config.webex.webhookurl | b64enc}}" + WEBEX_MINIMUMPRIORITY: "{{ .Values.config.webex.minimumpriority | b64enc}}" + + # Talon Output TALON_ADDRESS: "{{ .Values.config.talon.address | b64enc}}" TALON_CHECKCERT: "{{ .Values.config.talon.checkcert | printf "%t" | b64enc}}" TALON_MINIMUMPRIORITY: "{{ .Values.config.talon.minimumpriority | b64enc}}" diff --git a/helm/falco/charts/falcosidekick/templates/service-ui.yaml b/helm/falco/charts/falcosidekick/templates/service-ui.yaml index 9f2f93c7..e7208f79 100644 --- a/helm/falco/charts/falcosidekick/templates/service-ui.yaml +++ b/helm/falco/charts/falcosidekick/templates/service-ui.yaml @@ -22,9 +22,9 @@ spec: type: {{ .Values.webui.service.type }} ports: - port: {{ .Values.webui.service.port }} - {{ if eq .Values.webui.service.type "NodePort" }} + {{- if eq .Values.webui.service.type "NodePort" }} nodePort: {{ .Values.webui.service.nodePort }} - {{ end }} + {{- end }} targetPort: {{ .Values.webui.service.targetPort }} protocol: TCP name: http @@ -46,7 +46,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - type: ClusterIP + type: {{ .Values.webui.redis.service.type }} ports: - port: {{ .Values.webui.redis.service.port }} targetPort: {{ .Values.webui.redis.service.targetPort }} diff --git a/helm/falco/charts/falcosidekick/templates/service.yaml b/helm/falco/charts/falcosidekick/templates/service.yaml index fdea8deb..01a44729 100644 --- a/helm/falco/charts/falcosidekick/templates/service.yaml +++ b/helm/falco/charts/falcosidekick/templates/service.yaml @@ -17,7 +17,6 @@ metadata: {{- with .Values.service.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - prometheus.io/scrape: "true" spec: type: {{ .Values.service.type }} ports: diff --git a/helm/falco/charts/falcosidekick/values.yaml b/helm/falco/charts/falcosidekick/values.yaml index 9bc98791..ae7e5885 100644 --- a/helm/falco/charts/falcosidekick/values.yaml +++ b/helm/falco/charts/falcosidekick/values.yaml @@ -14,7 +14,7 @@ image: # -- The image repository to pull from repository: falcosecurity/falcosidekick # -- The image tag to pull - tag: 2.29.0 + tag: 2.30.0 # -- The image pull policy pullPolicy: IfNotPresent @@ -115,6 +115,23 @@ prometheusRules: threshold: 0 additionalAlerts: {} +# -- grafana contains the configuration related to grafana. +grafana: + # -- dashboards contains configuration for grafana dashboards. + dashboards: + # -- enabled specifies whether the dashboards should be deployed. + enabled: false + # --configmaps to be deployed that contain a grafana dashboard. + configMaps: + # -- falcosidekick contains the configuration for falcosidekick's dashboard. + falcosidekick: + # -- name specifies the name for the configmap. + name: falcosidekick-grafana-dashboard + # -- namespace specifies the namespace for the configmap. + namespace: "" + # -- folder where the dashboard is stored by grafana. + folder: "" + config: # -- Existing secret with configuration existingSecret: "" @@ -145,7 +162,7 @@ config: tlsclient: # -- CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty - cacertfile: "/etc/certs/client/ca.crt" + cacertfile: "" tlsserver: # -- if true TLS server will be deployed instead of HTTP @@ -240,13 +257,23 @@ config: datadog: # -- Datadog API Key, if not `empty`, Datadog output is *enabled* apikey: "" + # -- Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" + host: "" # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` minimumpriority: "" - # -- Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" + + datadoglogs: + # -- Datadog API Key, if not empty, Datadog Logs output is enabled + apikey: "" + # -- Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/" host: "" + # -- The name of the application or service generating the log events. + service: "" + # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + minimumpriority: "" alertmanager: - # -- AlertManager , if not `empty`, AlertManager is *enabled* + # -- Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is enabled hostport: "" # -- alertmanager endpoint on which falcosidekick posts alerts, choice is: `"/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts"` endpoint: "/api/v1/alerts" @@ -276,11 +303,15 @@ config: index: "falco" # -- Elasticsearch document type type: "_doc" - # date suffix for index rotation : daily, monthly, annually, none + # -- Optional ingest pipeline name + pipeline: "" + # -- Date suffix for index rotation : daily, monthly, annually, none suffix: "daily" - # -- use this username to authenticate to Elasticsearch if the username is not empty + # -- Use this APIKey to authenticate to Elasticsearch if the APIKey is not empty (default: "") + apikey: "" + # -- Use this username to authenticate to Elasticsearch if the username is not empty username: "" - # -- use this password to authenticate to Elasticsearch if the password is not empty + # -- Use this password to authenticate to Elasticsearch if the password is not empty password: "" # -- Replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false) flattenfields: false @@ -296,6 +327,18 @@ config: mutualtls: false # -- check if ssl certificate of the output is valid checkcert: true + # -- if true enables gzip compression for http requests (default: false) + enablecompression: false + # -- max number of concurrent http requests (default: 1) + maxconcurrentrequests: 1 + # -- batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API + batching: + # -- if true enables batching + enabled: true + # -- batch size in bytes (default: 5 MB) (use string to avoid the conversion into float64 by helm) + batchsize: "5242880" + # -- batch fush interval (default: 1s) + flushinterval: 1s # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` minimumpriority: "" @@ -342,6 +385,18 @@ config: mutualtls: false # -- check if ssl certificate of the output is valid checkcert: true + # -- dashboard for Grafana + grafanaDashboard: + # -- enabled specifies whether this dashboard should be deployed. + enabled: true + # --configmaps to be deployed that contain a grafana dashboard. + configMap: + # -- name specifies the name for the configmap. + name: falcosidekick-loki-dashboard-grafana + # -- namespace specifies the namespace for the configmap. + namespace: "" + # -- folder where the dashboard is stored by grafana. + folder: "" prometheus: # -- comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields @@ -914,6 +969,8 @@ config: token: "" # -- telegram Identifier of the shared chat chatid: "" + # -- Telegram individual chats within the group + messagethreadid: "" # -- check if ssl certificate of the output is valid checkcert: true # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" @@ -972,7 +1029,7 @@ config: # -- OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json) protocol: "" # -- OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000) - timeout: "" + timeout: 1000 # -- OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "") headers: "" # -- Set to true if you want traces to be sent synchronously (default: false) @@ -983,10 +1040,29 @@ config: extraenvvars: {} # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000 # OTEL_EXPORTER_OTLP_TIMEOUT: 10000 + # -- check if ssl certificate of the output is valid + checkcert: true # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" minimumpriority: "" - # -- check if ssl certificate of the output is valid + metrics: + # -- OTLP endpoint, typically in the form http{s}://{domain or ip}:4318/v1/metrics + endpoint: "" + # -- OTLP transport protocol to be used for metrics data; it can be "grpc" or "http/protobuf" (default: "grpc") + protocol: "grpc" + # -- OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000) + timeout: 1000 + # -- List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "") + headers: "" + # -- Extra env vars (override the other settings) (default: "") + extraenvvars: [] + # - OTEL_EXPORTER_OTLP_METRICS_TIMEOUT: 10000 + # - OTEL_EXPORTER_OTLP_TIMEOUT: 10000 + # -- Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields + extraattributes: "" + # -- Set to false if you want to skip TLS certificate validation (only with https) (default: true) checkcert: true + # -- Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "") + minimumpriority: "" sumologic: # -- Sumologic HTTP Source URL, if not empty, Sumologic output is enabled @@ -1022,6 +1098,12 @@ config: # -- check if ssl certificate of the output is valid checkcert: true + webex: + # -- Webex WebhookURL, if not empty, Webex output is enabled + webhookurl: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + talon: # -- Talon address, if not empty, Talon output is enabled address: "" @@ -1036,7 +1118,8 @@ service: # -- Service port port: 2801 # -- Service annotations - annotations: {} + annotations: + prometheus.io/scrape: "true" # networking.gke.io/load-balancer-type: Internal ingress: @@ -1143,9 +1226,9 @@ webui: # -- wait-redis initContainer image registry to pull from registry: docker.io # -- wait-redis initContainer image repository to pull from - repository: busybox + repository: redis/redis-stack # -- wait-redis initContainer image tag to pull - tag: 1.31 + tag: "7.2.0-v11" # -- wait-redis initContainer securityContext securityContext: {} # -- wait-redis initContainer resources @@ -1222,6 +1305,8 @@ webui: enabled: false # -- The URL of the external Redis database with RediSearch > v2 url: "" + # -- Set the password of the external Redis + password: "" # -- The port of the external Redis database with RediSearch > v2 port: 6379 redis: @@ -1237,6 +1322,11 @@ webui: # -- The web UI image pull policy pullPolicy: IfNotPresent + # -- List of Custom config overrides for Redis + customConfig: {} + # - maxmemory-policy allkeys-lfu + # - maxmemory 4096mb + # -- Existing secret with configuration existingSecret: "" diff --git a/helm/falco/charts/k8s-metacollector/CHANGELOG.md b/helm/falco/charts/k8s-metacollector/CHANGELOG.md index e01e1282..a56b211a 100644 --- a/helm/falco/charts/k8s-metacollector/CHANGELOG.md +++ b/helm/falco/charts/k8s-metacollector/CHANGELOG.md @@ -4,6 +4,14 @@ This file documents all notable changes to `k8s-metacollector` Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v0.1.10 + +* Fix Grafana dashboards datasources + +## v0.1.9 + +* Add podLabels + ## v0.1.8 * Bump application version to 0.1.1. For more info see release notes: https://github.com/falcosecurity/k8s-metacollector/releases/tag/v0.1.1 @@ -23,7 +31,7 @@ numbering uses [semantic versioning](http://semver.org). ## v0.1.4 * Lower `interval` and `scrape_timeout` values for service monitor; -* + ## v0.1.3 * Bump application version to 0.1.3 @@ -45,4 +53,4 @@ numbering uses [semantic versioning](http://semver.org). ### Major Changes -* Initial release of k8s-metacollector Helm Chart. **Note:** the chart uses the `main` tag, since we don't have released the k8s-metacollector yet. \ No newline at end of file +* Initial release of k8s-metacollector Helm Chart. **Note:** the chart uses the `main` tag, since we don't have released the k8s-metacollector yet. diff --git a/helm/falco/charts/k8s-metacollector/Chart.yaml b/helm/falco/charts/k8s-metacollector/Chart.yaml index d0624156..102d80f9 100644 --- a/helm/falco/charts/k8s-metacollector/Chart.yaml +++ b/helm/falco/charts/k8s-metacollector/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.8 +version: 0.1.10 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/falco/charts/k8s-metacollector/README.md b/helm/falco/charts/k8s-metacollector/README.md index 6c258935..def3ab4a 100644 --- a/helm/falco/charts/k8s-metacollector/README.md +++ b/helm/falco/charts/k8s-metacollector/README.md @@ -66,7 +66,7 @@ The command removes all the Kubernetes resources associated with the chart and d ## Configuration -The following table lists the main configurable parameters of the k8s-metacollector chart v0.1.8 and their default values. See `values.yaml` for full list. +The following table lists the main configurable parameters of the k8s-metacollector chart v0.1.10 and their default values. See `values.yaml` for full list. ## Values @@ -110,6 +110,7 @@ The following table lists the main configurable parameters of the k8s-metacollec | namespaceOverride | string | `""` | namespaceOverride overrides the deployment namespace. It's useful for multi-namespace deployments in combined charts. | | nodeSelector | object | `{}` | nodeSelector specifies a set of key-value pairs that must match labels assigned to nodes for the Pod to be eligible for scheduling on that node. | | podAnnotations | object | `{}` | podAnnotations are custom annotations to be added to the pod. | +| podLabels | object | `{}` | podLabels are labels to be added to the pod. | | podSecurityContext | object | `{"fsGroup":1000,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}` | These settings are override by the ones specified for the container when there is overlap. | | podSecurityContext.fsGroup | int | `1000` | fsGroup specifies the group ID (GID) that should be used for the volume mounted within a Pod. | | podSecurityContext.runAsGroup | int | `1000` | runAsGroup specifies the group ID (GID) that the containers inside the pod should run as. | diff --git a/helm/falco/charts/k8s-metacollector/dashboards/k8s-metacollector-dashboard.json b/helm/falco/charts/k8s-metacollector/dashboards/k8s-metacollector-dashboard.json index 62b721df..c9682d20 100644 --- a/helm/falco/charts/k8s-metacollector/dashboards/k8s-metacollector-dashboard.json +++ b/helm/falco/charts/k8s-metacollector/dashboards/k8s-metacollector-dashboard.json @@ -25,14 +25,14 @@ "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, - "id": 17, + "id": 146, "links": [], "liveNow": false, "panels": [ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "fieldConfig": { "defaults": { @@ -40,6 +40,7 @@ "mode": "continuous-GrYlRd" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -53,6 +54,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "smooth", "lineWidth": 3, "pointSize": 5, @@ -95,7 +97,6 @@ }, "id": 2, "interval": "1m", - "links": [], "options": { "legend": { "calcs": [], @@ -104,6 +105,7 @@ "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -113,7 +115,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "code", "exemplar": true, @@ -133,7 +135,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "fieldConfig": { "defaults": { @@ -141,6 +143,7 @@ "mode": "continuous-GrYlRd" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -154,6 +157,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "smooth", "lineWidth": 3, "pointSize": 5, @@ -196,7 +200,6 @@ }, "id": 4, "interval": "1m", - "links": [], "options": { "legend": { "calcs": [], @@ -205,6 +208,7 @@ "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -214,7 +218,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "exemplar": true, @@ -234,7 +238,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "description": "Number of subscribers", "fieldConfig": { @@ -244,6 +248,7 @@ "mode": "fixed" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -257,6 +262,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -305,6 +311,7 @@ "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -314,7 +321,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "expr": "meta_collector_server_subscribers{namespace=\"$namespace\", pod=\"$pod\", job=\"$job\"}", @@ -329,7 +336,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "fieldConfig": { "defaults": { @@ -377,6 +384,7 @@ "values": false }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -386,7 +394,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "expr": "sum by(type) (meta_collector_broker_queue_adds{pod=\"$pod\", namespace=\"$namespace\"})", @@ -401,7 +409,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "fieldConfig": { "defaults": { @@ -423,7 +431,7 @@ "gridPos": { "h": 8, "w": 12, - "x": 7, + "x": 0, "y": 16 }, "id": 23, @@ -447,6 +455,7 @@ "values": false }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -456,7 +465,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "expr": "sum by(controller) (controller_runtime_reconcile_total{pod=\"$pod\", namespace=\"$namespace\"})", @@ -471,72 +480,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" - }, - "description": "Events sent to subscribers", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 24 - }, - "id": 17, - "options": { - "displayMode": "gradient", - "minVizHeight": 10, - "minVizWidth": 0, - "orientation": "horizontal", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showUnfilled": true, - "valueMode": "color" - }, - "pluginVersion": "9.5.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "editorMode": "builder", - "exemplar": false, - "expr": "sum by(kind) (meta_collector_broker_dispatched_events{pod=\"$pod\", namespace=\"$namespace\"})", - "format": "time_series", - "legendFormat": "{{kind}}", - "range": true, - "refId": "A" - } - ], - "title": "Events Dispatched Per Resource Kind", - "type": "bargauge" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "fieldConfig": { "defaults": { @@ -564,7 +508,7 @@ "h": 8, "w": 12, "x": 12, - "y": 24 + "y": 16 }, "id": 26, "options": { @@ -579,14 +523,16 @@ "fields": "", "values": false }, - "textMode": "auto" + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true }, - "pluginVersion": "9.5.1", + "pluginVersion": "11.0.0", "targets": [ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "expr": "sum by(job) (meta_collector_broker_dispatched_events{pod=\"$pod\", namespace=\"$namespace\"})", @@ -601,13 +547,13 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, + "description": "Events sent to subscribers", "fieldConfig": { "defaults": { "color": { - "fixedColor": "semi-dark-orange", - "mode": "fixed" + "mode": "thresholds" }, "mappings": [], "thresholds": { @@ -626,13 +572,15 @@ "h": 8, "w": 12, "x": 0, - "y": 32 + "y": 24 }, - "id": 24, + "id": 17, "options": { "displayMode": "gradient", + "maxVizHeight": 300, "minVizHeight": 10, "minVizWidth": 0, + "namePlacement": "auto", "orientation": "horizontal", "reduceOptions": { "calcs": [ @@ -642,29 +590,32 @@ "values": false }, "showUnfilled": true, + "sizing": "auto", "valueMode": "color" }, - "pluginVersion": "9.5.1", + "pluginVersion": "11.0.0", "targets": [ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", - "expr": "sum by(name) (meta_collector_collector_event_api_server_received{pod=\"$pod\", namespace=\"$namespace\", source=\"api-server\"})", - "legendFormat": "__auto", + "exemplar": false, + "expr": "sum by(kind) (meta_collector_broker_dispatched_events{pod=\"$pod\", namespace=\"$namespace\"})", + "format": "time_series", + "legendFormat": "{{kind}}", "range": true, "refId": "A" } ], - "title": "Events From Api Server Per collector", + "title": "Events Dispatched Per Resource Kind", "type": "bargauge" }, { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "fieldConfig": { "defaults": { @@ -692,7 +643,7 @@ "h": 8, "w": 12, "x": 12, - "y": 32 + "y": 24 }, "id": 25, "options": { @@ -707,14 +658,16 @@ "fields": "", "values": false }, - "textMode": "auto" + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true }, - "pluginVersion": "9.5.1", + "pluginVersion": "11.0.0", "targets": [ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "expr": "sum(meta_collector_collector_event_api_server_received{pod=\"$pod\", namespace=\"$namespace\", source=\"api-server\"})", @@ -729,43 +682,13 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, - "description": "How long in seconds an item stays in workqueue before being requested", "fieldConfig": { "defaults": { "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "normal" - }, - "thresholdsStyle": { - "mode": "off" - } + "fixedColor": "semi-dark-orange", + "mode": "fixed" }, "mappings": [], "thresholds": { @@ -774,83 +697,58 @@ { "color": "green", "value": null - }, - { - "color": "red", - "value": 80 } ] - }, - "unit": "s" + } }, "overrides": [] }, "gridPos": { - "h": 7, + "h": 8, "w": 12, "x": 0, - "y": 40 + "y": 32 }, - "id": 30, + "id": 24, "options": { - "legend": { + "displayMode": "gradient", + "maxVizHeight": 300, + "minVizHeight": 10, + "minVizWidth": 0, + "namePlacement": "auto", + "orientation": "horizontal", + "reduceOptions": { "calcs": [ - "max", - "mean" + "lastNotNull" ], - "displayMode": "list", - "placement": "right", - "showLegend": true + "fields": "", + "values": false }, - "tooltip": { - "mode": "single", - "sort": "none" - } + "showUnfilled": true, + "sizing": "auto", + "valueMode": "color" }, + "pluginVersion": "11.0.0", "targets": [ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, - "exemplar": true, - "expr": "histogram_quantile(0.50, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", - "interval": "", - "legendFormat": "P50 {{name}} {{instance}} ", + "editorMode": "builder", + "expr": "sum by(name) (meta_collector_collector_event_api_server_received{pod=\"$pod\", namespace=\"$namespace\", source=\"api-server\"})", + "legendFormat": "__auto", + "range": true, "refId": "A" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "exemplar": true, - "expr": "histogram_quantile(0.90, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", - "hide": false, - "interval": "", - "legendFormat": "P90 {{name}} {{instance}} ", - "refId": "B" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "exemplar": true, - "expr": "histogram_quantile(0.99, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", - "hide": false, - "interval": "", - "legendFormat": "P99 {{name}} {{instance}} ", - "refId": "C" } ], - "title": "Seconds For Items Stay In Queue (before being requested) (P50, P90, P99)", - "type": "timeseries" + "title": "Events From Api Server Per collector", + "type": "bargauge" }, { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "description": "How long in seconds an item stays in the broker queue before being processed by the broker.", "fieldConfig": { @@ -859,6 +757,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -872,6 +771,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -932,10 +832,10 @@ ] }, "gridPos": { - "h": 7, + "h": 8, "w": 12, "x": 12, - "y": 40 + "y": 32 }, "id": 13, "options": { @@ -949,6 +849,7 @@ "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -957,7 +858,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "exemplar": true, @@ -970,7 +871,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "exemplar": true, @@ -984,7 +885,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "builder", "exemplar": true, @@ -1002,15 +903,16 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, - "description": "How long in seconds processing an item from workqueue takes.", + "description": "How long in seconds an item stays in workqueue before being requested", "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -1024,6 +926,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -1034,7 +937,7 @@ "spanNulls": false, "stacking": { "group": "A", - "mode": "none" + "mode": "normal" }, "thresholdsStyle": { "mode": "off" @@ -1062,20 +965,21 @@ "h": 7, "w": 12, "x": 0, - "y": 47 + "y": 40 }, - "id": 29, + "id": 30, "options": { "legend": { "calcs": [ "max", "mean" ], - "displayMode": "table", + "displayMode": "list", "placement": "right", "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -1084,10 +988,10 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "exemplar": true, - "expr": "histogram_quantile(0.50, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "expr": "histogram_quantile(0.50, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", "interval": "", "legendFormat": "P50 {{name}} {{instance}} ", "refId": "A" @@ -1095,10 +999,10 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "exemplar": true, - "expr": "histogram_quantile(0.90, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "expr": "histogram_quantile(0.90, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", "hide": false, "interval": "", "legendFormat": "P90 {{name}} {{instance}} ", @@ -1107,23 +1011,23 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "exemplar": true, - "expr": "histogram_quantile(0.99, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "expr": "histogram_quantile(0.99, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", "hide": false, "interval": "", "legendFormat": "P99 {{name}} {{instance}} ", "refId": "C" } ], - "title": "Seconds Processing Items From WorkQueue (P50, P90, P99)", + "title": "Seconds For Items Stay In Queue (before being requested) (P50, P90, P99)", "type": "timeseries" }, { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "description": "Total number of retries handled by workqueue", "fieldConfig": { @@ -1132,6 +1036,7 @@ "mode": "continuous-GrYlRd" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -1145,6 +1050,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "smooth", "lineWidth": 3, "pointSize": 5, @@ -1183,7 +1089,7 @@ "h": 7, "w": 12, "x": 12, - "y": 47 + "y": 40 }, "id": 34, "options": { @@ -1194,6 +1100,7 @@ "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -1202,12 +1109,14 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, + "editorMode": "code", "exemplar": true, "expr": "sum(rate(workqueue_retries_total{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name)", "interval": "", "legendFormat": "{{name}} {{instance}} ", + "range": true, "refId": "A" } ], @@ -1217,29 +1126,32 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, + "description": "How long in seconds processing an item from workqueue takes.", "fieldConfig": { "defaults": { "color": { - "mode": "continuous-GrYlRd" + "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, "drawStyle": "line", - "fillOpacity": 20, - "gradientMode": "scheme", + "fillOpacity": 10, + "gradientMode": "none", "hideFrom": { "legend": false, "tooltip": false, "viz": false }, - "lineInterpolation": "smooth", - "lineWidth": 3, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, "pointSize": 5, "scaleDistribution": { "type": "linear" @@ -1268,7 +1180,7 @@ } ] }, - "unit": "ops" + "unit": "s" }, "overrides": [] }, @@ -1276,42 +1188,69 @@ "h": 7, "w": 12, "x": 0, - "y": 54 + "y": 47 }, - "id": 33, + "id": 29, "options": { "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "right", "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } }, - "pluginVersion": "8.4.3", "targets": [ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "exemplar": true, - "expr": "sum(rate(workqueue_adds_total{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name)", + "expr": "histogram_quantile(0.50, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", "interval": "", - "legendFormat": "{{name}} {{instance}}", + "legendFormat": "P50 {{name}} {{instance}} ", "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_Metrics}" + }, + "exemplar": true, + "expr": "histogram_quantile(0.90, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "hide": false, + "interval": "", + "legendFormat": "P90 {{name}} {{instance}} ", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_Metrics}" + }, + "exemplar": true, + "expr": "histogram_quantile(0.99, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "hide": false, + "interval": "", + "legendFormat": "P99 {{name}} {{instance}} ", + "refId": "C" } ], - "title": "Work Queue Add Rate", + "title": "Seconds Processing Items From WorkQueue (P50, P90, P99)", "type": "timeseries" }, { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "description": "Total number of reconciliation errors per controller", "fieldConfig": { @@ -1320,6 +1259,7 @@ "mode": "continuous-GrYlRd" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -1333,6 +1273,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "smooth", "lineWidth": 3, "pointSize": 5, @@ -1371,7 +1312,7 @@ "h": 7, "w": 12, "x": 12, - "y": 54 + "y": 47 }, "id": 32, "options": { @@ -1382,6 +1323,7 @@ "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -1390,7 +1332,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "code", "exemplar": true, @@ -1407,7 +1349,104 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-GrYlRd" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 20, + "gradientMode": "scheme", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "smooth", + "lineWidth": 3, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 54 + }, + "id": 33, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.4.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_Metrics}" + }, + "exemplar": true, + "expr": "sum(rate(workqueue_adds_total{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name)", + "interval": "", + "legendFormat": "{{name}} {{instance}}", + "refId": "A" + } + ], + "title": "Work Queue Add Rate", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_Metrics}" }, "description": "Total number of reconciliations per controller", "fieldConfig": { @@ -1416,6 +1455,7 @@ "mode": "continuous-GrYlRd" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -1429,6 +1469,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "smooth", "lineWidth": 3, "pointSize": 5, @@ -1467,7 +1508,7 @@ "h": 7, "w": 12, "x": 12, - "y": 61 + "y": 54 }, "id": 31, "options": { @@ -1478,6 +1519,7 @@ "showLegend": true }, "tooltip": { + "maxHeight": 600, "mode": "single", "sort": "none" } @@ -1486,7 +1528,7 @@ { "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "editorMode": "code", "exemplar": true, @@ -1502,20 +1544,32 @@ } ], "refresh": "5s", - "schemaVersion": 38, - "style": "dark", - "tags": [], + "schemaVersion": 39, + "tags": [ + "falco" + ], "templating": { "list": [ { - "current": { - "selected": false, - "text": "meta-collector", - "value": "meta-collector" - }, + "current": {}, + "hide": 0, + "includeAll": false, + "label": "Metrics", + "multi": false, + "name": "DS_Metrics", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, "definition": "label_values(meta_collector_server_subscribers,namespace)", "hide": 0, @@ -1524,33 +1578,31 @@ "name": "namespace", "options": [], "query": { + "qryType": 1, "query": "label_values(meta_collector_server_subscribers,namespace)", "refId": "PrometheusVariableQueryEditor-VariableQuery" }, - "refresh": 2, + "refresh": 1, "regex": "", "skipUrlSync": false, "sort": 0, "type": "query" }, { - "current": { - "selected": false, - "text": "meta-collector-585d94f758-bpsxm", - "value": "meta-collector-585d94f758-bpsxm" - }, + "current": {}, "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, - "definition": "label_values(meta_collector_server_subscribers{namespace=~\"$namespace\"},pod)", + "definition": "label_values(meta_collector_server_subscribers{namespace=\"$namespace\"},job)", "hide": 0, "includeAll": false, "multi": false, - "name": "pod", + "name": "job", "options": [], "query": { - "query": "label_values(meta_collector_server_subscribers{namespace=~\"$namespace\"},pod)", + "qryType": 1, + "query": "label_values(meta_collector_server_subscribers{namespace=\"$namespace\"},job)", "refId": "PrometheusVariableQueryEditor-VariableQuery" }, "refresh": 1, @@ -1560,23 +1612,20 @@ "type": "query" }, { - "current": { - "selected": false, - "text": "meta-collector", - "value": "meta-collector" - }, + "current": {}, "datasource": { "type": "prometheus", - "uid": "prometheus" + "uid": "${DS_Metrics}" }, - "definition": "label_values(controller_runtime_reconcile_total{namespace=~\"$namespace\"},job)", + "definition": "label_values(meta_collector_server_subscribers{namespace=\"$namespace\", job=\"$job\"},pod)", "hide": 0, "includeAll": false, "multi": false, - "name": "job", + "name": "pod", "options": [], "query": { - "query": "label_values(controller_runtime_reconcile_total{namespace=~\"$namespace\"},job)", + "qryType": 1, + "query": "label_values(meta_collector_server_subscribers{namespace=\"$namespace\", job=\"$job\"},pod)", "refId": "PrometheusVariableQueryEditor-VariableQuery" }, "refresh": 1, @@ -1591,10 +1640,11 @@ "from": "now-30m", "to": "now" }, + "timeRangeUpdatedDuringEditOrView": false, "timepicker": {}, "timezone": "", - "title": "Falco Meta Collector", - "uid": "T0NvRcb4z", - "version": 1, + "title": "Falco / Meta Collector", + "uid": "fdr5cuh96bj7kf", + "version": 4, "weekStart": "" } diff --git a/helm/falco/charts/k8s-metacollector/templates/deployment.yaml b/helm/falco/charts/k8s-metacollector/templates/deployment.yaml index 896248ce..7688a215 100644 --- a/helm/falco/charts/k8s-metacollector/templates/deployment.yaml +++ b/helm/falco/charts/k8s-metacollector/templates/deployment.yaml @@ -18,6 +18,9 @@ spec: {{- end }} labels: {{- include "k8s-metacollector.selectorLabels" . | nindent 8 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 8 }} + {{- end }} spec: {{- with .Values.image.pullSecrets }} imagePullSecrets: diff --git a/helm/falco/charts/k8s-metacollector/values.yaml b/helm/falco/charts/k8s-metacollector/values.yaml index b6dcc256..98e1fa24 100644 --- a/helm/falco/charts/k8s-metacollector/values.yaml +++ b/helm/falco/charts/k8s-metacollector/values.yaml @@ -25,7 +25,6 @@ fullnameOverride: "" # -- namespaceOverride overrides the deployment namespace. It's useful for multi-namespace deployments in combined charts. namespaceOverride: "" - # -- serviceAccount is the configuration for the service account. serviceAccount: # -- create specifies whether a service account should be created. @@ -39,6 +38,9 @@ serviceAccount: # -- podAnnotations are custom annotations to be added to the pod. podAnnotations: {} +# -- podLabels are labels to be added to the pod. +podLabels: {} + # -- podSecurityContext holds the security settings for the pod. # -- These settings are override by the ones specified for the container when there is overlap. podSecurityContext: diff --git a/helm/falco/values.yaml b/helm/falco/values.yaml index a52dcfe8..f8a9394c 100644 --- a/helm/falco/values.yaml +++ b/helm/falco/values.yaml @@ -16,7 +16,9 @@ falco: enabled: true image: registry: gsoci.azurecr.io - repository: giantswarm/falco-no-driver + repository: giantswarm/falco + # repo: falcosecurity/falco + tag: 0.40.0 priorityClassName: giantswarm-critical collectors: kubernetes: diff --git a/vendir.lock.yml b/vendir.lock.yml index e911b319..c1c98945 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: Bump falco-sidekick dependency version to include redis UI check... - sha: e8a0387945bee44cccf2a4e0fed927c35969fa1a + commitTitle: 'fix(falco): bump version to 0.40.0...' + sha: 986a7ad988ceefceaa813445ea76665cd04ceaab tags: - - falco-4.6.1 + - falco-4.19.0 path: . path: helm/falco/charts kind: LockConfig diff --git a/vendir.yml b/vendir.yml index 17975878..b0778c91 100644 --- a/vendir.yml +++ b/vendir.yml @@ -6,7 +6,7 @@ directories: - path: . git: url: https://github.com/giantswarm/falco-charts-upstream - ref: falco-4.6.1 + ref: falco-4.19.0 includePaths: - charts/falco/** - charts/falcosidekick/**