REFACTOR(repo): restructure infra folder structure

- Remove argocd/, helm-values/, ingress/ subdirectories - Move files to parent directory with standardized names - Add namespace.yaml to all apps with Goldilocks labels - Preserve vault/ subdirectories (falco, velero) - Update main kustomization.yaml to reference argocd.yaml files directly - Comment out argocd.yaml in each app's kustomization.yaml to prevent circular reference Applications restructured: - cert-manager (2 ArgoCD apps) - external-secrets - reloader - vault (2 ArgoCD apps) - velero (2 ArgoCD apps) - falco - cnpg - haproxy - metallb - vpa - argocd
2025-12-29 02:21:00 +09:00
parent cedb4ec0d4
commit 34a1c9f783
14 changed files with 29 additions and 8 deletions
--- a/falco/helm-values.yaml
+++ b/falco/helm-values.yaml
@@ -0,0 +1,178 @@
+# Falco Helm Values
+# Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco
+
+# Driver configuration - use modern_ebpf (no compilation needed)
+driver:
+  enabled: true
+  kind: modern_ebpf  # Uses modern eBPF features, no driver compilation needed
+
+# Image configuration
+image:
+  registry: docker.io
+  repository: falcosecurity/falco-no-driver
+  tag: 0.39.2
+
+# Resource requests
+resources:
+  requests:
+    cpu: 30m  # Reduced for CPU optimization to allow CNPG join pod scheduling
+    memory: 256Mi
+
+# Falco configuration
+falco:
+  # Enable JSON output for better parsing
+  json_output: true
+  json_include_output_property: true
+
+  # Log to stdout
+  log_stderr: true
+  log_syslog: false
+  log_level: info
+
+  # Performance tuning
+  buffered_outputs: true
+  outputs_queue_capacity: 10000
+
+  # Rules configuration
+  rules_files:
+    - /etc/falco/falco_rules.yaml
+    - /etc/falco/falco_rules.local.yaml
+    - /etc/falco/rules.d
+
+  # Load default rules
+  load_plugins: []
+
+# Custom rules (add to this section)
+customRules:
+  custom-rules.yaml: |-
+    # Custom Falco Rules for your cluster
+
+    - rule: Unauthorized Process in Container
+      desc: Detect unexpected processes in containers
+      condition: >
+        spawned_process and container and
+        not proc.name in (sh, bash, node, python, java, nginx, postgres)
+      output: >
+        Unauthorized process started in container
+        (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
+      priority: WARNING
+      tags: [container, process]
+
+    - rule: Sensitive File Access
+      desc: Detect access to sensitive files
+      condition: >
+        open_read and container and
+        fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa, /root/.ssh/authorized_keys)
+      output: >
+        Sensitive file accessed
+        (user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
+      priority: CRITICAL
+      tags: [file, security]
+
+    - rule: Container Drift Detection
+      desc: Detect file modifications in containers
+      condition: >
+        container and
+        (open_write or rename or remove) and
+        not proc.name in (apt, yum, dnf, apk, npm, pip)
+      output: >
+        File modified in container
+        (user=%user.name file=%fd.name proc=%proc.name container=%container.name)
+      priority: WARNING
+      tags: [container, drift]
+
+# Enable Prometheus metrics
+metrics:
+  enabled: true
+
+# Service Monitor for Prometheus Operator
+serviceMonitor:
+  enabled: true
+  interval: 30s
+
+# Grafana dashboard
+grafanaDashboard:
+  enabled: false
+
+# Falcosidekick integration (for forwarding alerts)
+falcosidekick:
+  enabled: true
+  fullfqdn: false
+
+  config:
+    # Output to stdout/logs
+    debug: false
+
+    # Slack integration (optional)
+    # slack:
+    #   webhookurl: ""
+    #   minimumpriority: "warning"
+
+    # Discord integration (optional)
+    # discord:
+    #   webhookurl: ""
+    #   minimumpriority: "warning"
+
+  # Falcosidekick Web UI
+  webui:
+    enabled: true
+    replicaCount: 1
+
+    service:
+      type: ClusterIP
+      port: 2802
+
+    ingress:
+      enabled: false
+      # annotations:
+      #   cert-manager.io/cluster-issuer: letsencrypt-prod
+      # hosts:
+      #   - host: falco0213.kro.kr
+      #     paths:
+      #       - path: /
+      #         pathType: Prefix
+
+    resources:
+      requests:
+        cpu: 30m
+        memory: 128Mi
+      limits:
+        # cpu: removed to prevent throttling
+        memory: 512Mi
+
+    # Use custom secret for authentication
+    existingSecret: falco-ui-secret
+
+# RBAC
+rbac:
+  create: true
+
+# Service Account
+serviceAccount:
+  create: true
+  name: falco
+
+# Node selector to run on all nodes
+nodeSelector: {}
+
+# Tolerations to run on all nodes including masters
+tolerations:
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/master
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/control-plane
+
+# Run as DaemonSet on all nodes
+daemonset:
+  updateStrategy:
+    type: RollingUpdate
+
+# Priority class
+priorityClassName: ""
+
+# Extra environment variables
+extraEnvVars: []
+
+# Extra volumes
+extraVolumes: []
+extraVolumeMounts: []