From 18dac6b77fc2db2a42a148753c179cafd0596eb6 Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Thu, 25 Dec 2025 12:31:06 +0900 Subject: [PATCH] FIX(falco): change Falco driver to modern_ebpf - Use modern_ebpf driver for kernel 6.14 compatibility - Fix kernel module issues --- falco/argocd/falco.yaml | 94 +++++++++++++++++++++++++++++++----- falco/helm-values/falco.yaml | 4 +- 2 files changed, 85 insertions(+), 13 deletions(-) diff --git a/falco/argocd/falco.yaml b/falco/argocd/falco.yaml index 8114464..d20447a 100644 --- a/falco/argocd/falco.yaml +++ b/falco/argocd/falco.yaml @@ -8,18 +8,79 @@ metadata: spec: project: default - sources: + source: # Helm chart from Falcosecurity repository - - repoURL: https://falcosecurity.github.io/charts - chart: falco - targetRevision: 4.14.2 - helm: - valueFiles: - - $values/falco/helm-values/falco.yaml - # Values file from Git repository - - repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git - targetRevision: main - ref: values + repoURL: https://falcosecurity.github.io/charts + chart: falco + targetRevision: 4.20.0 + helm: + values: | + # Driver configuration - use modern_ebpf + driver: + enabled: true + kind: modern_ebpf + + # Image configuration - use Falco 0.40.0 for kernel 6.14 support + image: + registry: docker.io + repository: falcosecurity/falco + tag: 0.40.0 + + # Resource requests + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 1000m + memory: 1Gi + + # Falco configuration + falco: + json_output: true + json_include_output_property: true + log_stderr: true + log_syslog: false + log_level: info + rules_files: + - /etc/falco/falco_rules.yaml + - /etc/falco/falco_rules.local.yaml + + # Metrics + metrics: + enabled: true + + # Service Monitor + serviceMonitor: + enabled: true + interval: 30s + + # Falcosidekick + falcosidekick: + enabled: true + config: + debug: false + webui: + enabled: true + replicaCount: 1 + resources: + requests: + cpu: 50m + memory: 128Mi + + # RBAC + rbac: + create: true + + serviceAccount: + create: true + name: falco + + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane destination: server: https://kubernetes.default.svc @@ -36,6 +97,7 @@ spec: - PrunePropagationPolicy=foreground - PruneLast=true - ServerSideApply=true + - RespectIgnoreDifferences=true retry: limit: 5 @@ -44,4 +106,14 @@ spec: factor: 2 maxDuration: 3m + # Ignore StatefulSet persistentVolumeClaimRetentionPolicy differences + # This field is set by Kubernetes but may differ from Helm chart expectations + ignoreDifferences: + - group: apps + kind: StatefulSet + name: falco-falcosidekick-ui-redis + namespace: falco + jqPathExpressions: + - .spec.persistentVolumeClaimRetentionPolicy + revisionHistoryLimit: 10 diff --git a/falco/helm-values/falco.yaml b/falco/helm-values/falco.yaml index 4324e91..78f378a 100644 --- a/falco/helm-values/falco.yaml +++ b/falco/helm-values/falco.yaml @@ -1,10 +1,10 @@ # Falco Helm Values # Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco -# Driver configuration - use eBPF for better compatibility +# Driver configuration - use modern_ebpf (no compilation needed) driver: enabled: true - kind: ebpf # or "module" for kernel module + kind: modern_ebpf # Uses modern eBPF features, no driver compilation needed # Image configuration image: