From 10308d48d02a34d64c81d2f930e0039272b4356a Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Thu, 25 Dec 2025 12:21:19 +0900
Subject: [PATCH] FEAT(velero): Add Velero, Falco,

- and CNPG infrastructure components
Add three critical infrastructure components via GitOps:

- Velero: Backup and disaster recovery solution
  - Configured with Minio S3 backend
  - Daily full cluster backups (30-day retention)
  - Hourly backups for critical namespaces (7-day retention)
  - Credentials managed via External Secrets from Vault

- Falco: Runtime security monitoring
  - eBPF-based threat detection
  - Custom rules for container security
  - Falcosidekick for alert forwarding
  - Prometheus metrics enabled

- CNPG (CloudNativePG): PostgreSQL operator
  - Kubernetes-native PostgreSQL management
  - Automated failover and backups
  - Will replace Bitnami PostgreSQL

All components follow existing GitOps patterns:
- Helm charts deployed via ArgoCD
- Values managed in Git
- Automated sync with selfHeal enabled
---
 falco/argocd/falco.yaml      |  47 +++++++++
 falco/helm-values/falco.yaml | 178 +++++++++++++++++++++++++++++++++++
 falco/kustomization.yaml     |   6 ++
 3 files changed, 231 insertions(+)
 create mode 100644 falco/argocd/falco.yaml
 create mode 100644 falco/helm-values/falco.yaml
 create mode 100644 falco/kustomization.yaml

diff --git a/falco/argocd/falco.yaml b/falco/argocd/falco.yaml
new file mode 100644
index 0000000..8114464
--- /dev/null
+++ b/falco/argocd/falco.yaml
@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: falco
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+    # Helm chart from Falcosecurity repository
+    - repoURL: https://falcosecurity.github.io/charts
+      chart: falco
+      targetRevision: 4.14.2
+      helm:
+        valueFiles:
+          - $values/falco/helm-values/falco.yaml
+    # Values file from Git repository
+    - repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git
+      targetRevision: main
+      ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: falco
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+      - ServerSideApply=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  revisionHistoryLimit: 10
diff --git a/falco/helm-values/falco.yaml b/falco/helm-values/falco.yaml
new file mode 100644
index 0000000..4324e91
--- /dev/null
+++ b/falco/helm-values/falco.yaml
@@ -0,0 +1,178 @@
+# Falco Helm Values
+# Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco
+
+# Driver configuration - use eBPF for better compatibility
+driver:
+  enabled: true
+  kind: ebpf  # or "module" for kernel module
+
+# Image configuration
+image:
+  registry: docker.io
+  repository: falcosecurity/falco-no-driver
+  tag: 0.39.2
+
+# Resource requests
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+
+# Falco configuration
+falco:
+  # Enable JSON output for better parsing
+  json_output: true
+  json_include_output_property: true
+
+  # Log to stdout
+  log_stderr: true
+  log_syslog: false
+  log_level: info
+
+  # Performance tuning
+  buffered_outputs: true
+  outputs_queue_capacity: 10000
+
+  # Rules configuration
+  rules_files:
+    - /etc/falco/falco_rules.yaml
+    - /etc/falco/falco_rules.local.yaml
+    - /etc/falco/rules.d
+
+  # Load default rules
+  load_plugins: []
+
+# Custom rules (add to this section)
+customRules:
+  custom-rules.yaml: |-
+    # Custom Falco Rules for your cluster
+
+    - rule: Unauthorized Process in Container
+      desc: Detect unexpected processes in containers
+      condition: >
+        spawned_process and container and
+        not proc.name in (sh, bash, node, python, java, nginx, postgres)
+      output: >
+        Unauthorized process started in container
+        (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
+      priority: WARNING
+      tags: [container, process]
+
+    - rule: Sensitive File Access
+      desc: Detect access to sensitive files
+      condition: >
+        open_read and container and
+        fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa, /root/.ssh/authorized_keys)
+      output: >
+        Sensitive file accessed
+        (user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
+      priority: CRITICAL
+      tags: [file, security]
+
+    - rule: Container Drift Detection
+      desc: Detect file modifications in containers
+      condition: >
+        container and
+        (open_write or rename or remove) and
+        not proc.name in (apt, yum, dnf, apk, npm, pip)
+      output: >
+        File modified in container
+        (user=%user.name file=%fd.name proc=%proc.name container=%container.name)
+      priority: WARNING
+      tags: [container, drift]
+
+# Enable Prometheus metrics
+metrics:
+  enabled: true
+
+# Service Monitor for Prometheus Operator
+serviceMonitor:
+  enabled: true
+  interval: 30s
+
+# Grafana dashboard
+grafanaDashboard:
+  enabled: false
+
+# Falcosidekick integration (for forwarding alerts)
+falcosidekick:
+  enabled: true
+  fullfqdn: false
+
+  config:
+    # Output to stdout/logs
+    debug: false
+
+    # Slack integration (optional)
+    # slack:
+    #   webhookurl: ""
+    #   minimumpriority: "warning"
+
+    # Discord integration (optional)
+    # discord:
+    #   webhookurl: ""
+    #   minimumpriority: "warning"
+
+  # Falcosidekick Web UI
+  webui:
+    enabled: true
+    replicaCount: 1
+
+    service:
+      type: ClusterIP
+      port: 2802
+
+    ingress:
+      enabled: false
+      # annotations:
+      #   cert-manager.io/cluster-issuer: letsencrypt-prod
+      # hosts:
+      #   - host: falco0213.kro.kr
+      #     paths:
+      #       - path: /
+      #         pathType: Prefix
+
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+
+# RBAC
+rbac:
+  create: true
+
+# Service Account
+serviceAccount:
+  create: true
+  name: falco
+
+# Node selector to run on all nodes
+nodeSelector: {}
+
+# Tolerations to run on all nodes including masters
+tolerations:
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/master
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/control-plane
+
+# Run as DaemonSet on all nodes
+daemonset:
+  updateStrategy:
+    type: RollingUpdate
+
+# Priority class
+priorityClassName: ""
+
+# Extra environment variables
+extraEnvVars: []
+
+# Extra volumes
+extraVolumes: []
+extraVolumeMounts: []
diff --git a/falco/kustomization.yaml b/falco/kustomization.yaml
new file mode 100644
index 0000000..e405e43
--- /dev/null
+++ b/falco/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # ArgoCD Application 리소스는 root kustomization.yaml에서 관리
+  # - argocd/falco.yaml