# Falco Helm Values
# Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco

# Driver configuration - use modern_ebpf (no compilation needed)
driver:
  enabled: true
  kind: modern_ebpf  # Uses modern eBPF features, no driver compilation needed

# Image configuration - use Falco 0.40.0 for kernel 6.14 support
image:
  registry: docker.io
  repository: falcosecurity/falco
  tag: 0.40.0

# Resource requests
resources:
  requests:
    cpu: 30m
    memory: 256Mi
  limits:
    cpu: null  # Remove CPU limit to prevent throttling (chart default is 1 core)
    memory: 512Mi  # Prevent OOM

# Falco configuration
falco:
  # Enable JSON output for better parsing
  json_output: true
  json_include_output_property: true

  # Log to stdout
  log_stderr: true
  log_syslog: false
  log_level: info

  # Performance tuning
  buffered_outputs: true

  # Rules configuration
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/rules.d

  # Load default rules
  load_plugins: []

# Custom rules (add to this section)
customRules:
  custom-rules.yaml: |-
    # Custom Falco Rules for your cluster
    # Optimized to reduce noise from trivy, postgres, minio, vault, etc.

    # Macro for known safe processes
    - macro: known_safe_processes
      condition: >
        proc.name in (sh, bash, node, python, java, nginx, postgres,
                      trivy, minio, vault, containerd-shim, runc,
                      pidof, cat, ls, grep, find, head, tail,
                      kubectl, helm, git, curl, wget)

    # Macro for known safe container images
    - macro: known_safe_images
      condition: >
        (container.image.repository contains "trivy" or
         container.image.repository contains "aquasec" or
         container.image.repository contains "postgres" or
         container.image.repository contains "minio" or
         container.image.repository contains "vault" or
         container.image.repository contains "falco")

    - rule: Unauthorized Process in Container
      desc: Detect unexpected processes in containers
      condition: >
        spawned_process and container and
        not known_safe_processes and
        not known_safe_images
      output: >
        Unauthorized process started in container
        (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
      priority: WARNING
      tags: [container, process]

    - rule: Sensitive File Access
      desc: Detect access to sensitive files (excluding /etc/passwd for normal lookups)
      condition: >
        open_read and container and
        fd.name in (/etc/shadow, /root/.ssh/id_rsa, /root/.ssh/authorized_keys) and
        not known_safe_images
      output: >
        Sensitive file accessed
        (user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
      priority: CRITICAL
      tags: [file, security]

    # Disabled: Too noisy, causes excessive events
    # - rule: Container Drift Detection
    #   desc: Detect file modifications in containers
    #   condition: ...
    #   Reason: trivy, postgres, minio constantly write files

# Enable Prometheus metrics
metrics:
  enabled: true

# Service Monitor for Prometheus Operator
serviceMonitor:
  enabled: true
  interval: 30s

# Grafana dashboard
grafanaDashboard:
  enabled: false

# Falcosidekick integration (for forwarding alerts)
falcosidekick:
  enabled: true
  fullfqdn: false
  replicaCount: 1

  resources:
    requests:
      cpu: 10m
      memory: 128Mi
    limits:
      memory: 512Mi  # Increased to prevent OOM

  config:
    # Output to stdout/logs
    debug: false

    # Slack integration (optional)
    # slack:
    #   webhookurl: ""
    #   minimumpriority: "warning"

    # Discord integration (optional)
    # discord:
    #   webhookurl: ""
    #   minimumpriority: "warning"

  # Falcosidekick Web UI
  webui:
    enabled: true
    replicaCount: 1
    disableauth: true  # Disable basic auth - using Authelia SSO
    ttl: 21600  # 6 hours - events older than this are auto-deleted

    service:
      type: ClusterIP
      port: 2802

    ingress:
      enabled: false
      # annotations:
      #   cert-manager.io/cluster-issuer: letsencrypt-prod
      # hosts:
      #   - host: falco0213.kro.kr
      #     paths:
      #       - path: /
      #         pathType: Prefix

    resources:
      requests:
        cpu: 30m
        memory: 128Mi
      limits:
        # cpu: removed to prevent throttling
        memory: 512Mi

    redis:
      storageEnabled: true
      resources:
        requests:
          cpu: 10m
          memory: 256Mi
        limits:
          memory: 1Gi  # Increased from 512Mi to prevent OOM (84 restarts)
      extraArgs:
        - "--maxmemory 800mb"
        - "--maxmemory-policy allkeys-lru"

    # Authentication disabled - using Authelia SSO
    # existingSecret: falco-ui-secret

# RBAC
rbac:
  create: true

# Service Account
serviceAccount:
  create: true
  name: falco

# Node selector to run on all nodes
nodeSelector: {}

# Tolerations to run on all nodes including masters
tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
  - effect: NoExecute
    key: node-role.kubernetes.io/master
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane
  - effect: NoExecute
    key: node-role.kubernetes.io/control-plane

# Run as DaemonSet on all nodes
daemonset:
  updateStrategy:
    type: RollingUpdate

# Priority class
priorityClassName: ""

# Extra environment variables
extraEnvVars: []

# Extra volumes
extraVolumes: []
extraVolumeMounts: []