[falco-talon] New Helm chart

Makefile

@@ -118,7 +118,7 @@ helm-lint-custom: guard-CHART ## Lint Helm chart
 
 .PHONY: helm-lint-docker
 helm-lint-docker: guard-CHART ## Lint Helm chart
-	@docker run -it --rm --name ct --volume $$(pwd):/data quay.io/helmpack/chart-testing sh -c "cd /data; ct lint --config .github/ct.yaml"
+	@docker run -it --rm -v ${HOME}:/root/ -v ${PWD}:/work -w /work --net host quay.io/helmpack/chart-testing ct lint --charts=charts/falco-talon --config .github/ct.yaml
 
 .PHONY: helm-install
 helm-install: guard-CHART guard-RELEASE ## Install a Helm chart

charts/falco-talon/Chart.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: v1
+appVersion: 0.1.0
+description: React to events from Falco
+name: falco-talon
+version: 1.0.0
+keywords:
+  - falco
+  - monitoring
+  - security
+  - response-engine
+  - portefaix
+home: https://github.com/falco-talon/falco-talon
+icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/falco/horizontal/color/falco-horizontal-color.svg
+sources:
+  - https://github.com/falco-talon/falco-talon
+  - https://github.com/nlamirault/portefaix-hub/tree/master/charts/falco-talon
+maintainers:
+  - name: nlamirault
+    email: nicolas.lamirault@gmail.com
+
+# https://artifacthub.io/docs/topics/annotations/helm/
+annotations:
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/links: |
+    - name: Falco
+      url: https://falco.org/
+    - name: Falco Talon
+      url: https://docs.falco-talon.org/
+    - name: Portefaix
+      url: https://portefaix.xyz
+  artifacthub.io/maintainers: |
+    - name: nlamirault
+      email: nicolas.lamirault@gmail.com
+  artifacthub.io/signKey: |
+    fingerprint: C39918B3EBDE35C23B8D0B8E5F99269A6FCA437C
+    url: https://keybase.io/nlamirault/pgp_keys.asc
+  artifacthub.io/changes: |
+    - kind: added
+      description: new chart

charts/falco-talon/README.md.gotmpl

@@ -0,0 +1,82 @@
+<!--
+(NOTE: Do not edit README.md directly. It is a generated file!)
+(      To make changes, please modify README.md.gotmpl and run `helm-docs`)
+-->
+
+** WAITING FOR OFFICIEL CHART **
+
+
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+## Breaking change announcements
+
+### **v1.0.0**
+
+This is the first release
+
+## Usage
+
+### Setup Portefaix chart repository
+
+```shell
+helm repo add portefaix-hub https://charts.portefaix.xyz/
+helm repo update
+```
+
+Once the chart has been added, install one of the available charts:
+
+```shell
+helm upgrade -i <release_name> portefaix-hub/falco-talon
+```
+
+### Installing from an OCI Registry
+
+Charts are also available in OCI format. The list of available charts can be found [here](https://github.com/orgs/portefaix/packages).
+
+Install one of the available charts:
+
+```shell
+$ helm upgrade -i oci://ghcr.io/portefaix/portefaix-hub/falco-talon --version=<version>
+```
+
+
+
+### Install chart
+
+To install the chart with the release name `my-release`:
+
+```bash
+cat >> values.yaml << EOF
+additionalLabels:
+  app: falco-talon
+
+EOF
+helm install falco-talon --atomic --timeout 300s  portefaix-hub/{{ template "chart.name" . }} --values values.yaml
+```
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+<!-- markdownlint-disable no-bare-urls -->
+{{ template "chart.requirementsSection" . }}
+<!-- markdownlint-enable no-bare-urls -->
+
+{{ template "chart.valuesSection" . }}
+
+## Customizing the configuration
+
+There are several options for customizing the configuration generated by this chart.
+
+### Policies
+
+You can choose which policies to enable or disable.
+
+You can choose for each policy the [validation action](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/#validation-actions)

charts/falco-talon/rules/rules.yaml

@@ -0,0 +1,17 @@
+- action: Terminate Pod
+  actionner: kubernetes:terminate
+
+- action: Label Pod as Suspicious
+  actionner: kubernetes:label
+  parameters:
+    labels:
+      falco-talon.org/suspicious: "true"
+
+- rule: Terminal shell in container 
+  match:
+    rules:
+      - Terminal shell in container
+    output_fields:
+      - k8s.ns.name!=kube-system, k8s.ns.name!=falco
+  actions:
+    - action: Label Pod as Suspicious

charts/falco-talon/rules/rules_override.yaml

@@ -0,0 +1,6 @@
+- action: Terminate Pod
+  actionner: kubernetes:terminate
+  parameters:
+    ignore_daemonsets: true
+    ignore_statefulsets: true
+    grace_period_seconds: 2

charts/falco-talon/templates/_helpers.tpl

@@ -0,0 +1,66 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "falco-talon.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "falco-talon.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "falco-talon.ingress.apiVersion" -}}
+  {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}}
+      {{- print "networking.k8s.io/v1" -}}
+  {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
+    {{- print "networking.k8s.io/v1beta1" -}}
+  {{- else -}}
+    {{- print "extensions/v1beta1" -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "falco-talon.labels" -}}
+helm.sh/chart: {{ include "falco-talon.chart" . }}
+app.kubernetes.io/component: falco-talon
+app.kubernetes.io/part-of: {{ include "falco-talon.name" . }}
+app.kubernetes.io/managed-by: {{ .Release.Name }}
+{{ include "falco-talon.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if .Values.additionalLabels }}
+{{ toYaml .Values.additionalLabels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "falco-talon.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Return if ingress is stable.
+*/}}
+{{- define "falco-talon.ingress.isStable" -}}
+  {{- eq (include "falco-talon.ingress.apiVersion" .) "networking.k8s.io/v1" -}}
+{{- end -}}
+
+{{/*
+Return if ingress supports pathType.
+*/}}
+{{- define "falco-talon.ingress.supportsPathType" -}}
+  {{- or (eq (include "falco-talon.ingress.isStable" .) "true") (and (eq (include "falco-talon.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}

charts/falco-talon/templates/clusterrole.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.podSecurityPolicy.create }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "falco-talon.name" .}}
+  labels:
+    {{- include "falco-talon.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - {{ template "falco-talon.name" . }}
+    verbs:
+      - use
+{{- end }}

charts/falco-talon/templates/configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "falco-talon.name" . }}-rules
+  labels:
+    {{- include "falco-talon.labels" . | nindent 4 }}
+data:
+  rules.yaml: |-
+{{- range $file := .Values.config.rulesFiles -}}
+{{ $fileContent := $.Files.Get . }}
+{{- $fileContent | nindent 4 -}}
+{{- end -}}

charts/falco-talon/templates/deployment.yaml

@@ -0,0 +1,88 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "falco-talon.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "falco-talon.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+      {{- include "falco-talon.labels" . | nindent 8 }}
+      {{- if .Values.podAnnotations }}
+        {{ toYaml .Values.podAnnotations | indent 8 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ include "falco-talon.name" . }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- end }}
+      securityContext:
+        runAsUser: {{ .Values.podSecurityContext.runAsUser }}
+        fsGroup: {{ .Values.podSecurityContext.fsGroup }}
+      restartPolicy: Always
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args: ["server", "-c", "/etc/falco-talon/config.yaml", "-r", "/etc/falco-talon/rules.yaml"]
+          ports:
+            - name: http
+              containerPort: 2803
+              protocol: TCP
+            - name: nats
+              containerPort: 4222
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          {{- if .Values.extraEnv }}
+          env:
+            {{ toYaml .Values.extraEnv | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: "config"
+              mountPath: "/etc/falco-talon/config.yaml"
+              subPath: config.yaml
+              readOnly: true
+            - name: "rules"
+              mountPath: "/etc/falco-talon/rules.yaml"
+              subPath: rules.yaml
+              readOnly: true
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      volumes:
+        - name: "rules"
+          configMap:
+            name: "{{ include "falco-talon.name" . }}-rules"
+        - name: "config"
+          secret:
+            secretName: "{{ include "falco-talon.name" . }}-config"