Skip to content

Commit

Permalink
update(falco/driver)!: use the same names for drivers as falco
Browse files Browse the repository at this point in the history
Please see: falcosecurity/falco#2413.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
  • Loading branch information
alacuku committed Jan 24, 2024
1 parent 00de330 commit 4e6f723
Show file tree
Hide file tree
Showing 10 changed files with 621 additions and 231 deletions.
13 changes: 13 additions & 0 deletions charts/falco/templates/NOTES.txt
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,19 @@ You can enable its deployment with `--set falcosidekick.enabled=true` or in your
See: https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml for configuration values.
{{- end}}


{{- if (has .Values.driver.kind (list "module" "modern-bpf")) -}}
WARNING (drivers):
{{- printf "Ther driver kind:\"%s\" is an alias." .Values.driver.kind -}}
{{- $driver := "" -}}
{{- if eq .Values.driver.kind "module" -}}
{{- $driver = "kmod" -}}
{{- else if eq .Values.driver.kind "modern-bpf" -}}
{{- $driver = "modern_ebpf" -}}
{{- end -}}
{{- printf "Please use \"%s\" instead" $driver}}
{{- end -}}

{{- if and (not (empty .Values.falco.load_plugins)) (or .Values.falcoctl.artifact.follow.enabled .Values.falcoctl.artifact.install.enabled) }}

WARNING:
Expand Down
56 changes: 50 additions & 6 deletions charts/falco/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ we just disable the sycall source.
*/}}
{{- define "falco.configSyscallSource" -}}
{{- $userspaceDisabled := true -}}
{{- $gvisorDisabled := (not .Values.gvisor.enabled) -}}
{{- $gvisorDisabled := (ne .Values.driver.kind "gvisor") -}}
{{- $driverDisabled := (not .Values.driver.enabled) -}}
{{- if or (has "-u" .Values.extra.args) (has "--userspace" .Values.extra.args) -}}
{{- $userspaceDisabled = false -}}
Expand Down Expand Up @@ -214,8 +214,8 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
set -o nounset
set -o pipefail
root={{ .Values.gvisor.runsc.root }}
config={{ .Values.gvisor.runsc.config }}
root={{ .Values.driver.gvisor.runsc.root }}
config={{ .Values.driver.gvisor.runsc.config }}
echo "* Configuring Falco+gVisor integration...".
# Check if gVisor is configured on the node.
Expand All @@ -240,12 +240,12 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
echo "* Falco+gVisor correctly configured."
exit 0
volumeMounts:
- mountPath: /host{{ .Values.gvisor.runsc.path }}
- mountPath: /host{{ .Values.driver.gvisor.runsc.path }}
name: runsc-path
readOnly: true
- mountPath: /host{{ .Values.gvisor.runsc.root }}
- mountPath: /host{{ .Values.driver.gvisor.runsc.root }}
name: runsc-root
- mountPath: /host{{ .Values.gvisor.runsc.config }}
- mountPath: /host{{ .Values.driver.gvisor.runsc.config }}
name: runsc-config
- mountPath: /gvisor-config
name: falco-gvisor-config
Expand Down Expand Up @@ -370,4 +370,48 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
{{- $_ := set .Values.falcoctl.config.artifact.install "refs" ((append .Values.falcoctl.config.artifact.install.refs .Values.collectors.kubernetes.pluginRef) | uniq)}}
{{- $_ = set .Values.falcoctl.config.artifact "allowedTypes" ((append .Values.falcoctl.config.artifact.allowedTypes "plugin") | uniq)}}
{{- end -}}
{{- end -}}

{{/*
Based on the user input it populates the driver configuration in the falco config map.
*/}}
{{- define "falco.engineConfiguration" -}}
{{- if .Values.driver.enabled -}}
{{- $supportedDrivers := list "kmod" "ebpf" "modern_ebpf" "gvisor" -}}
{{- $aliasDrivers := list "module" "modern-bpf" -}}
{{- if and (not (has .Values.driver.kind $supportedDrivers)) (not (has .Values.driver.kind $aliasDrivers)) -}}
{{- fail (printf "unsupported driver kind: \"%s\". Supported drivers %s, alias %s" .Values.driver.kind $supportedDrivers $aliasDrivers) -}}
{{- end -}}
{{- if or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") -}}
{{- $kmodConfig := dict "kind" "kmod" "kmod" (dict "buf_size_preset" .Values.driver.kmod.bufSizePreset "drop_failed_exit" .Values.driver.kmod.dropFailedExit) -}}
{{- $_ := set .Values.falco "engine" $kmodConfig -}}
{{- else if eq .Values.driver.kind "ebpf" -}}
{{- $ebpfConfig := dict "kind" "ebpf" "ebpf" (dict "buf_size_preset" .Values.driver.ebpf.bufSizePreset "drop_failed_exit" .Values.driver.ebpf.dropFailedExit "probe" .Values.driver.ebpf.path) -}}
{{- $_ := set .Values.falco "engine" $ebpfConfig -}}
{{- else if or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf") -}}
{{- $ebpfConfig := dict "kind" "modern_ebpf" "modern_ebpf" (dict "buf_size_preset" .Values.driver.modernEbpf.bufSizePreset "drop_failed_exit" .Values.driver.modernEbpf.dropFailedExit "cpus_for_each_buffer" .Values.driver.modernEbpf.cpusForEachBuffer) -}}
{{- $_ := set .Values.falco "engine" $ebpfConfig -}}
{{- else if eq .Values.driver.kind "gvisor" -}}
{{- $root := printf "/host%s/k8s.io" .Values.driver.gvisor.runsc.root -}}
{{- $gvisorConfig := dict "kind" "gvisor" "gvisor" (dict "config" "/gvisor-config/pod-init.json" "root" $root) -}}
{{- $_ := set .Values.falco "engine" $gvisorConfig -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
It returns "true" if the driver loader has to be enabled, otherwise false.
*/}}
{{- define "driverLoader.enabled" -}}
{{- if or
(eq .Values.driver.kind "modern_ebpf")
(eq .Values.driver.kind "modern-bpf")
(eq .Values.driver.kind "gvisor")
(not .Values.driver.enabled)
(not .Values.driver.loader.enabled)
-}}
false
{{- else -}}
true
{{- end -}}
{{- end -}}
1 change: 1 addition & 0 deletions charts/falco/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,5 @@ data:
falco.yaml: |-
{{- include "falco.falcosidekickConfig" . }}
{{- include "k8smeta.configuration" . -}}
{{- include "falco.engineConfiguration" . -}}
{{- toYaml .Values.falco | nindent 4 }}
56 changes: 20 additions & 36 deletions charts/falco/templates/pod-template.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.gvisor.enabled }}
{{- if eq .Values.driver.kind "gvisor" }}
hostNetwork: true
hostPID: true
{{- end }}
Expand All @@ -59,15 +59,6 @@ spec:
{{- include "falco.securityContext" . | nindent 8 }}
args:
- /usr/bin/falco
{{- if and .Values.driver.enabled (eq .Values.driver.kind "modern-bpf") }}
- --modern-bpf
{{- end }}
{{- if .Values.gvisor.enabled }}
- --gvisor-config
- /gvisor-config/pod-init.json
- --gvisor-root
- /host{{ .Values.gvisor.runsc.root }}/k8s.io
{{- end }}
{{- include "falco.configSyscallSource" . | indent 8 }}
{{- with .Values.collectors }}
{{- if .enabled }}
Expand All @@ -90,10 +81,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if and .Values.driver.enabled (eq .Values.driver.kind "ebpf") }}
- name: FALCO_BPF_PROBE
value: {{ .Values.driver.ebpf.path }}
{{- end }}
{{- if .Values.extra.env }}
{{- include "falco.renderTemplate" ( dict "value" .Values.extra.env "context" $) | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -151,7 +138,7 @@ spec:
name: etc-fs
readOnly: true
{{- end }}
{{- if and .Values.driver.enabled (eq .Values.driver.kind "module") }}
{{- if and .Values.driver.enabled (eq .Values.driver.kind "kmod") }}
- mountPath: /host/dev
name: dev-fs
readOnly: true
Expand Down Expand Up @@ -199,13 +186,13 @@ spec:
{{- with .Values.mounts.volumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.gvisor.enabled }}
{{- if eq .Values.driver.kind "gvisor" }}
- mountPath: /usr/local/bin/runsc
name: runsc-path
readOnly: true
- mountPath: /host{{ .Values.gvisor.runsc.root }}
- mountPath: /host{{ .Values.driver.gvisor.runsc.root }}
name: runsc-root
- mountPath: /host{{ .Values.gvisor.runsc.config }}
- mountPath: /host{{ .Values.driver.gvisor.runsc.config }}
name: runsc-config
- mountPath: /gvisor-config
name: falco-gvisor-config
Expand All @@ -217,14 +204,12 @@ spec:
{{- with .Values.extra.initContainers }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if and .Values.gvisor.enabled }}
{{- if eq .Values.driver.kind "gvisor" }}
{{- include "falco.gvisor.initContainer" . | nindent 4 }}
{{- end }}
{{- if and .Values.driver.enabled (ne .Values.driver.kind "modern-bpf") }}
{{- if.Values.driver.loader.enabled }}
{{- if eq (include "driverLoader.enabled" .) "true" }}
{{- include "falco.driverLoader.initContainer" . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.falcoctl.artifact.install.enabled }}
{{- include "falcoctl.initContainer" . | nindent 4 }}
{{- end }}
Expand All @@ -251,7 +236,7 @@ spec:
hostPath:
path: /etc
{{- end }}
{{- if and .Values.driver.enabled (eq .Values.driver.kind "module") }}
{{- if and .Values.driver.enabled (eq .Values.driver.kind "kmod") }}
- name: dev-fs
hostPath:
path: /dev
Expand Down Expand Up @@ -288,17 +273,17 @@ spec:
hostPath:
path: /proc
{{- end }}
{{- if .Values.gvisor.enabled }}
{{- if eq .Values.driver.kind "gvisor" }}
- name: runsc-path
hostPath:
path: {{ .Values.gvisor.runsc.path }}/runsc
path: {{ .Values.driver.gvisor.runsc.path }}/runsc
type: File
- name: runsc-root
hostPath:
path: {{ .Values.gvisor.runsc.root }}
path: {{ .Values.driver.gvisor.runsc.root }}
- name: runsc-config
hostPath:
path: {{ .Values.gvisor.runsc.config }}
path: {{ .Values.driver.gvisor.runsc.config }}
type: File
- name: falco-gvisor-config
emptyDir: {}
Expand Down Expand Up @@ -348,18 +333,21 @@ spec:
- name: {{ .Chart.Name }}-driver-loader
image: {{ include "falco.driverLoader.image" . }}
imagePullPolicy: {{ .Values.driver.loader.initContainer.image.pullPolicy }}
{{- with .Values.driver.loader.initContainer.args }}
args:
{{- with .Values.driver.loader.initContainer.args }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if eq .Values.driver.kind "ebpf" }}
- ebpf
{{- end }}
{{- with .Values.driver.loader.initContainer.resources }}
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
securityContext:
{{- if .Values.driver.loader.initContainer.securityContext }}
{{- toYaml .Values.driver.loader.initContainer.securityContext | nindent 4 }}
{{- else if eq .Values.driver.kind "module" }}
{{- else if eq .Values.driver.kind "kmod" }}
privileged: true
{{- end }}
volumeMounts:
Expand All @@ -380,10 +368,6 @@ spec:
name: etc-fs
readOnly: true
env:
{{- if eq .Values.driver.kind "ebpf" }}
- name: FALCO_BPF_PROBE
value: {{ .Values.driver.ebpf.path }}
{{- end }}
{{- if .Values.driver.loader.initContainer.env }}
{{- include "falco.renderTemplate" ( dict "value" .Values.driver.loader.initContainer.env "context" $) | nindent 4 }}
{{- end }}
Expand All @@ -392,7 +376,7 @@ spec:
{{- define "falco.securityContext" -}}
{{- $securityContext := dict -}}
{{- if .Values.driver.enabled -}}
{{- if eq .Values.driver.kind "module" -}}
{{- if eq .Values.driver.kind "kmod" -}}
{{- $securityContext := set $securityContext "privileged" true -}}
{{- end -}}
{{- if eq .Values.driver.kind "ebpf" -}}
Expand All @@ -402,8 +386,8 @@ spec:
{{- $securityContext := set $securityContext "privileged" true -}}
{{- end -}}
{{- end -}}
{{- if eq .Values.driver.kind "modern-bpf" -}}
{{- if .Values.driver.modern_bpf.leastPrivileged -}}
{{- if eq .Values.driver.kind "modern_ebpf" -}}
{{- if .Values.driver.modernEbpf.leastPrivileged -}}
{{- $securityContext := set $securityContext "capabilities" (dict "add" (list "BPF" "SYS_RESOURCE" "PERFMON" "SYS_PTRACE")) -}}
{{- else -}}
{{- $securityContext := set $securityContext "privileged" true -}}
Expand Down
22 changes: 22 additions & 0 deletions charts/falco/tests/unit/consts.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2024 The Falco Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package unit

const (
releaseName = "rendered-resources"
patternK8sMetacollectorFiles = `# Source: falco/charts/k8s-metacollector/templates/([^\n]+)`
k8sMetaPluginName = "k8smeta"
)
17 changes: 17 additions & 0 deletions charts/falco/tests/unit/doc.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2024 The Falco Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package unit contains the unit tests for the Falco chart.
package unit
Loading

0 comments on commit 4e6f723

Please sign in to comment.