FIX(falco): change Falco driver to modern_ebpf

- Use modern_ebpf driver for kernel 6.14 compatibility - Fix kernel module issues
2025-12-25 12:31:06 +09:00
parent 10308d48d0
commit 18dac6b77f
2 changed files with 85 additions and 13 deletions
--- a/falco/argocd/falco.yaml
+++ b/falco/argocd/falco.yaml
@@ -8,18 +8,79 @@ metadata:
 spec:
  project: default

-  sources:
+  source:
    # Helm chart from Falcosecurity repository
-    - repoURL: https://falcosecurity.github.io/charts
+    repoURL: https://falcosecurity.github.io/charts
    chart: falco
-      targetRevision: 4.14.2
+    targetRevision: 4.20.0
    helm:
-        valueFiles:
-          - $values/falco/helm-values/falco.yaml
-    # Values file from Git repository
-    - repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git
-      targetRevision: main
-      ref: values
+      values: |
+        # Driver configuration - use modern_ebpf
+        driver:
+          enabled: true
+          kind: modern_ebpf
+
+        # Image configuration - use Falco 0.40.0 for kernel 6.14 support
+        image:
+          registry: docker.io
+          repository: falcosecurity/falco
+          tag: 0.40.0
+
+        # Resource requests
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 1000m
+            memory: 1Gi
+
+        # Falco configuration
+        falco:
+          json_output: true
+          json_include_output_property: true
+          log_stderr: true
+          log_syslog: false
+          log_level: info
+          rules_files:
+            - /etc/falco/falco_rules.yaml
+            - /etc/falco/falco_rules.local.yaml
+
+        # Metrics
+        metrics:
+          enabled: true
+
+        # Service Monitor
+        serviceMonitor:
+          enabled: true
+          interval: 30s
+
+        # Falcosidekick
+        falcosidekick:
+          enabled: true
+          config:
+            debug: false
+          webui:
+            enabled: true
+            replicaCount: 1
+            resources:
+              requests:
+                cpu: 50m
+                memory: 128Mi
+
+        # RBAC
+        rbac:
+          create: true
+
+        serviceAccount:
+          create: true
+          name: falco
+
+        tolerations:
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/master
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/control-plane

  destination:
    server: https://kubernetes.default.svc
@@ -36,6 +97,7 @@ spec:
      - PrunePropagationPolicy=foreground
      - PruneLast=true
      - ServerSideApply=true
+      - RespectIgnoreDifferences=true

    retry:
      limit: 5
@@ -44,4 +106,14 @@ spec:
        factor: 2
        maxDuration: 3m

+  # Ignore StatefulSet persistentVolumeClaimRetentionPolicy differences
+  # This field is set by Kubernetes but may differ from Helm chart expectations
+  ignoreDifferences:
+    - group: apps
+      kind: StatefulSet
+      name: falco-falcosidekick-ui-redis
+      namespace: falco
+      jqPathExpressions:
+        - .spec.persistentVolumeClaimRetentionPolicy
+
  revisionHistoryLimit: 10
--- a/falco/helm-values/falco.yaml
+++ b/falco/helm-values/falco.yaml
@@ -1,10 +1,10 @@
 # Falco Helm Values
 # Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco

-# Driver configuration - use eBPF for better compatibility
+# Driver configuration - use modern_ebpf (no compilation needed)
 driver:
  enabled: true
-  kind: ebpf  # or "module" for kernel module
+  kind: modern_ebpf  # Uses modern eBPF features, no driver compilation needed

 # Image configuration
 image: