diff --git a/charts/falco/values-syscall-k8saudit.yaml b/charts/falco/values-syscall-k8saudit.yaml index 96023b0a2..5b93cc0dc 100644 --- a/charts/falco/values-syscall-k8saudit.yaml +++ b/charts/falco/values-syscall-k8saudit.yaml @@ -20,6 +20,7 @@ controller: falcoctl: artifact: + install: # -- Enable the init container. We do not recommend installing plugins for security reasons since they are executable objects. # We install only "rulesfiles". @@ -29,24 +30,17 @@ falcoctl: enabled: true config: artifact: + allowedTypes: ["rulesfile", "plugin"] install: # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it. resolveDeps: false # -- List of artifacts to be installed by the falcoctl init container. # We do not recommend installing (or following) plugins for security reasons since they are executable objects. - refs: [falco-rules:2, k8saudit-rules:0.6] + refs: [falco-rules:2, ghcr.io/alacuku/plugins/plugin/k8smeta:latest] follow: # -- List of artifacts to be followed by the falcoctl sidecar container. # We do not recommend installing (or following) plugins for security reasons since they are executable objects. - refs: [falco-rules:2, k8saudit-rules:0.6] - -services: - - name: k8saudit-webhook - type: NodePort - ports: - - port: 9765 # See plugin open_params - nodePort: 30007 - protocol: TCP + refs: [falco-rules:2] falco: rules_file: @@ -54,14 +48,10 @@ falco: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins: - - name: k8saudit - library_path: libk8saudit.so + - name: k8smeta + library_path: libk8smeta.so init_config: - "" - # maxEventBytes: 1048576 - # sslCertificate: /etc/falco/falco.pem - open_params: "http://:9765/k8s-audit" - - name: json - library_path: libjson.so - init_config: "" - load_plugins: [k8saudit, json] + collectorPort: 45000 + collectorHostname: meta-collector.meta-collector.svc + nodename: "worker-node-1" + load_plugins: [k8smeta]