From 1a551b47ca0d18e5a883afe6c46cf94e9ce41002 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Fri, 2 Jan 2026 23:00:23 +0900
Subject: [PATCH] PERF(falco): optimize falco rules

- and add sidekick memory limit
- Add macros to exclude trivy, postgres, minio, vault from rules
- Disable Container Drift Detection (too noisy)
- Remove /etc/passwd from sensitive file access (normal lookups)
- Add 256Mi memory limit to falcosidekick (was using 1.1GB)
---
 falco/helm-values.yaml | 50 ++++++++++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 14 deletions(-)

diff --git a/falco/helm-values.yaml b/falco/helm-values.yaml
index e9ed2e8..590606a 100644
--- a/falco/helm-values.yaml
+++ b/falco/helm-values.yaml
@@ -45,12 +45,32 @@ falco:
 customRules:
   custom-rules.yaml: |-
     # Custom Falco Rules for your cluster
+    # Optimized to reduce noise from trivy, postgres, minio, vault, etc.
+
+    # Macro for known safe processes
+    - macro: known_safe_processes
+      condition: >
+        proc.name in (sh, bash, node, python, java, nginx, postgres,
+                      trivy, minio, vault, containerd-shim, runc,
+                      pidof, cat, ls, grep, find, head, tail,
+                      kubectl, helm, git, curl, wget)
+
+    # Macro for known safe container images
+    - macro: known_safe_images
+      condition: >
+        (container.image.repository contains "trivy" or
+         container.image.repository contains "aquasec" or
+         container.image.repository contains "postgres" or
+         container.image.repository contains "minio" or
+         container.image.repository contains "vault" or
+         container.image.repository contains "falco")
 
     - rule: Unauthorized Process in Container
       desc: Detect unexpected processes in containers
       condition: >
         spawned_process and container and
-        not proc.name in (sh, bash, node, python, java, nginx, postgres)
+        not known_safe_processes and
+        not known_safe_images
       output: >
         Unauthorized process started in container
         (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
@@ -58,27 +78,22 @@ customRules:
       tags: [container, process]
 
     - rule: Sensitive File Access
-      desc: Detect access to sensitive files
+      desc: Detect access to sensitive files (excluding /etc/passwd for normal lookups)
       condition: >
         open_read and container and
-        fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa, /root/.ssh/authorized_keys)
+        fd.name in (/etc/shadow, /root/.ssh/id_rsa, /root/.ssh/authorized_keys) and
+        not known_safe_images
       output: >
         Sensitive file accessed
         (user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
       priority: CRITICAL
       tags: [file, security]
 
-    - rule: Container Drift Detection
-      desc: Detect file modifications in containers
-      condition: >
-        container and
-        open_write and
-        not proc.name in (apt, yum, dnf, apk, npm, pip)
-      output: >
-        File modified in container
-        (user=%user.name file=%fd.name proc=%proc.name container=%container.name)
-      priority: WARNING
-      tags: [container, drift]
+    # Disabled: Too noisy, causes excessive events
+    # - rule: Container Drift Detection
+    #   desc: Detect file modifications in containers
+    #   condition: ...
+    #   Reason: trivy, postgres, minio constantly write files
 
 # Enable Prometheus metrics
 metrics:
@@ -99,6 +114,13 @@ falcosidekick:
   fullfqdn: false
   replicaCount: 1
 
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
+    limits:
+      memory: 256Mi  # Prevent memory leak from accumulating events
+
   config:
     # Output to stdout/logs
     debug: false