You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a carryover from a slack conversation, and was related to high cpu usage when using falco in k8s environments. Its related to other issues but has a better description and suggested fixes so I wanted to capture it somewhere. The fix for this issue is to properly document it on the wiki.
Thanks so much to @JPLachance for the detailed description!
Okay, so I finally got something working.
After trying many things with Mack Stemm, we identified that when we were removing the -k https://kubernetes argument, CPU usage was going down.
In my setup, the Falco container was deployed in his own namespace, let’s say falco-ns. That being said, passing https://kubernetes makes Falco try to access the API server in the current namespace falco-ns. That cannot work since the API server is always deployed in the default namespace.
So, changing -k https://kubernetes for -k https://kubernetes.default allowed Falco to speak to the API server. There is already an opened pull request to fix that in the K8S example: https://github.com/draios/falco/pull/296.
After that, I encountered another issue:
Tue Nov 28 18:08:32 2017: Runtime error: K8s API error; Status: Failure, Message: nodes is forbidden: User "system:serviceaccount:falco-ns:default" cannot list nodes at the cluster scope, Reason: Forbidden, Details: , Code: nodes is forbidden: User "system:serviceaccount:falco-ns:default" cannot list nodes at the cluster scope. Exiting.
After that, simply add serviceAccount: falco-service-account under spec.template.spec in your Deployment/DaemonSet YAML and you will be good to go! Hope it helps :
The text was updated successfully, but these errors were encountered:
This is a carryover from a slack conversation, and was related to high cpu usage when using falco in k8s environments. Its related to other issues but has a better description and suggested fixes so I wanted to capture it somewhere. The fix for this issue is to properly document it on the wiki.
Thanks so much to @JPLachance for the detailed description!
Okay, so I finally got something working.
After trying many things with Mack Stemm, we identified that when we were removing the
-k https://kubernetesargument, CPU usage was going down.In my setup, the Falco container was deployed in his own namespace, let’s say
falco-ns. That being said, passinghttps://kubernetesmakes Falco try to access the API server in the current namespacefalco-ns. That cannot work since the API server is always deployed in the default namespace.So, changing
-k https://kubernetesfor-k https://kubernetes.defaultallowed Falco to speak to the API server. There is already an opened pull request to fix that in the K8S example: https://github.com/draios/falco/pull/296.After that, I encountered another issue:
Tue Nov 28 18:08:32 2017: Runtime error: K8s API error; Status: Failure, Message: nodes is forbidden: User "system:serviceaccount:falco-ns:default" cannot list nodes at the cluster scope, Reason: Forbidden, Details: , Code: nodes is forbidden: User "system:serviceaccount:falco-ns:default" cannot list nodes at the cluster scope. Exiting.That is caused by the fact I use RBAC and the default service account cannot access all resources Falco needs to access. That concern was raised in #297. I found the fix in https://support.sysdig.com/hc/en-us/articles/206770633-Sysdig-Install-Kubernetes-.
More precisely:
After that, simply add
serviceAccount: falco-service-accountunder spec.template.spec in your Deployment/DaemonSet YAML and you will be good to go! Hope it helps :The text was updated successfully, but these errors were encountered: