ROADMAP - Build slim and full Falco container images

[mfdii]

Signed-off-by: Michael Ducy michael@ducy.org

What type of PR is this?
/kind feature

Any specific area of the project related to this PR?

/area deployment

What this PR does / why we need it:
The current Falco images are quite large (720 MB) and carry lots of build tools that we want to remove from the current image. The build tools are required to compile kernel modules dynamically when the Falco container starts.

Under the new design we wish to remove the build tools and create two image categories:

• Init container image for Kernel Module/eBPF probe delivery
  • Container for building probe dynamically (current model)
  • Container for pulling module via HTTPS
  • Container for building & packaging custom kernel modules
  • Container(s) shipping prebuilt modules
• Falco container image containing the minimum required software
  • Minimal Image falcosecurity/falco-minimal - only required executables and libraries (~19.5mb)
  • Slim Image falcosecurity/falco-slim - Distribution based image (~224mb)

Other tasks before this PR is complete:

• Update kubernetes manifests to support new model
• Update helm chart (external PR)
• Automated build process for new container images
• Testing of images in deployment scenarios
  • GKE
  • Response Engine
  • IKS
  • Minikube

Which issue(s) this PR fixes:

Fixes #532

Does this PR introduce a user-facing change?:

Initial redesign container images to remove build tools and leverage init containers for kernel module delivery.

[mfdii]

Note that the Falco application images can be tested by using the falcosecurity/falco-minimal or falcosecurity/falco-slim images. Currently I've only built a falco probe container image for the linuxkit kernel (docker desktop, falcosecurity/probe-linuxkit-4.9.184).

You can test by running the following:

docker run --rm --privileged falcosecurity/probe-linuxkit-4.9.184
docker run --rm -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock     -v /dev:/host/dev -v /proc:/host/proc:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro falcosecurity/falco-slim:0.17.0

[JPLachance]

This is a superb start! I'll be happy to test it in K8s v1.11.10 in AWS 🎉

[poiana]

@JPLachance: changing LGTM is restricted to assignees, and only falcosecurity/falco repo collaborators may be assigned issues.

In response to this:

This is a superb start! I'll be happy to test it in K8s v1.11.10 in AWS 🎉

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mfdii]

@JPLachance I've pushed the httploader initContainer. This replicates the current method of pulling kernel modules from S3. Look at the updated k8s daemonset to see how to configure.

[JPLachance]

Good job! We are almost there! 🎉

[JPLachance]

Do we need to update Falco rules to allow those new images to run with the --privileged flag?

https://github.com/falcosecurity/falco/blob/dev/rules/falco_rules.yaml#L1751

I think yes, but I'm not sure.

[mfdii]

Yes, we will need this.

[JPLachance]

If the kernel module is already loaded for some reason, how does a Falco user fix it? I think we should add a link to some documentation in the log.

[mfdii]

One thing that the current probe loader does is remove the loaded module. We could do this as well, with a retry loop and timeout.

[fntlnz]

Here's an initial review, thanks for working on this @mfdii !

I also think we need a readme on how to use it but didn't know where to commentt this

[leodido]

Some nits

[leodido]

Another nit

[leodido]

🎉

[poiana]

LGTM label has been added.

Git tree hash: 2851f34f65c67c607edf8be621c502ae5d6732ba

[fntlnz]

@mfdii me and @leodido took over to continue this PR.

We moved the httploader tool to falcoctl falcosecurity/falcoctl#21 - now it's falcoctl install probe

The docker image reflects that. It is pushed following the same versioning as falco, so now we have:

• falcosecurity/probeloader:latest
• falcosecurity/probeloader:0.17.1

Also instead of having a different image repository for every slim and minimal we are using tags.

E.g: for falco 0.18.0 we will have

• falcosecurity/falcoctl:0.18.0
• falcosecurity/falcoctl:0.18.0-slim
• falcosecurity/falcoctl:0.18.0-minimal

And for latest

• falcosecurity/falcoctl:latest
• falcosecurity/falcoctl:latest-slim
• falcosecurity/falcoctl:latest-minimal

Those slim and minimal images will not be pushed for old falco versions, like 0.17.1 but starting from 0.18.0, the milestone attached to this PR.

The Release process is NOT automated and we have a work item on that #726

[mfdii]

lgtm

[poiana]

@mfdii: you cannot LGTM your own PR.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leodido]

As planned during last meetings we are going to merge this PR.

@mfdii : there are some missing points/goals listed in the PR corpus, what's the planning for those? I propose to open issues to track them, first of all.

[poiana]

LGTM label has been added.

Git tree hash: 89fbc0566bfc3da02c532e95f0a01edb3774ba4a

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, kris-nova, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [fntlnz,kris-nova,leodido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment