Mayne0213
4d4ecb13d6
- and enable Redis persistence - Add NoExecute tolerations for master/control-plane nodes to run Falco DaemonSet on all nodes - Enable Redis storage to persist index data across pod restarts
196 lines
4.5 KiB
YAML
196 lines
4.5 KiB
YAML
# Falco Helm Values
|
|
# Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco
|
|
|
|
# Driver configuration - use modern_ebpf (no compilation needed)
|
|
driver:
|
|
enabled: true
|
|
kind: modern_ebpf # Uses modern eBPF features, no driver compilation needed
|
|
|
|
# Image configuration - use Falco 0.40.0 for kernel 6.14 support
|
|
image:
|
|
registry: docker.io
|
|
repository: falcosecurity/falco
|
|
tag: 0.40.0
|
|
|
|
# Resource requests
|
|
resources:
|
|
requests:
|
|
cpu: 30m # Reduced for CPU optimization to allow CNPG join pod scheduling
|
|
memory: 256Mi
|
|
|
|
# Falco configuration
|
|
falco:
|
|
# Enable JSON output for better parsing
|
|
json_output: true
|
|
json_include_output_property: true
|
|
|
|
# Log to stdout
|
|
log_stderr: true
|
|
log_syslog: false
|
|
log_level: info
|
|
|
|
# Performance tuning
|
|
buffered_outputs: true
|
|
|
|
# Rules configuration
|
|
rules_files:
|
|
- /etc/falco/falco_rules.yaml
|
|
- /etc/falco/falco_rules.local.yaml
|
|
- /etc/falco/rules.d
|
|
|
|
# Load default rules
|
|
load_plugins: []
|
|
|
|
# Custom rules (add to this section)
|
|
customRules:
|
|
custom-rules.yaml: |-
|
|
# Custom Falco Rules for your cluster
|
|
|
|
- rule: Unauthorized Process in Container
|
|
desc: Detect unexpected processes in containers
|
|
condition: >
|
|
spawned_process and container and
|
|
not proc.name in (sh, bash, node, python, java, nginx, postgres)
|
|
output: >
|
|
Unauthorized process started in container
|
|
(user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
|
|
priority: WARNING
|
|
tags: [container, process]
|
|
|
|
- rule: Sensitive File Access
|
|
desc: Detect access to sensitive files
|
|
condition: >
|
|
open_read and container and
|
|
fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa, /root/.ssh/authorized_keys)
|
|
output: >
|
|
Sensitive file accessed
|
|
(user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
|
|
priority: CRITICAL
|
|
tags: [file, security]
|
|
|
|
- rule: Container Drift Detection
|
|
desc: Detect file modifications in containers
|
|
condition: >
|
|
container and
|
|
open_write and
|
|
not proc.name in (apt, yum, dnf, apk, npm, pip)
|
|
output: >
|
|
File modified in container
|
|
(user=%user.name file=%fd.name proc=%proc.name container=%container.name)
|
|
priority: WARNING
|
|
tags: [container, drift]
|
|
|
|
# Enable Prometheus metrics
|
|
metrics:
|
|
enabled: true
|
|
|
|
# Service Monitor for Prometheus Operator
|
|
serviceMonitor:
|
|
enabled: true
|
|
interval: 30s
|
|
|
|
# Grafana dashboard
|
|
grafanaDashboard:
|
|
enabled: false
|
|
|
|
# Falcosidekick integration (for forwarding alerts)
|
|
falcosidekick:
|
|
enabled: true
|
|
fullfqdn: false
|
|
replicaCount: 1
|
|
|
|
config:
|
|
# Output to stdout/logs
|
|
debug: false
|
|
|
|
# Slack integration (optional)
|
|
# slack:
|
|
# webhookurl: ""
|
|
# minimumpriority: "warning"
|
|
|
|
# Discord integration (optional)
|
|
# discord:
|
|
# webhookurl: ""
|
|
# minimumpriority: "warning"
|
|
|
|
# Falcosidekick Web UI
|
|
webui:
|
|
enabled: true
|
|
replicaCount: 1
|
|
disableauth: true # Disable basic auth - using Authelia SSO
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 2802
|
|
|
|
ingress:
|
|
enabled: false
|
|
# annotations:
|
|
# cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
# hosts:
|
|
# - host: falco0213.kro.kr
|
|
# paths:
|
|
# - path: /
|
|
# pathType: Prefix
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 30m
|
|
memory: 128Mi
|
|
limits:
|
|
# cpu: removed to prevent throttling
|
|
memory: 512Mi
|
|
|
|
redis:
|
|
storageEnabled: true
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
limits:
|
|
memory: 256Mi
|
|
extraArgs:
|
|
- "--maxmemory 200mb"
|
|
- "--maxmemory-policy allkeys-lru"
|
|
|
|
# Authentication disabled - using Authelia SSO
|
|
# existingSecret: falco-ui-secret
|
|
|
|
# RBAC
|
|
rbac:
|
|
create: true
|
|
|
|
# Service Account
|
|
serviceAccount:
|
|
create: true
|
|
name: falco
|
|
|
|
# Node selector to run on all nodes
|
|
nodeSelector: {}
|
|
|
|
# Tolerations to run on all nodes including masters
|
|
tolerations:
|
|
- effect: NoSchedule
|
|
key: node-role.kubernetes.io/master
|
|
- effect: NoExecute
|
|
key: node-role.kubernetes.io/master
|
|
- effect: NoSchedule
|
|
key: node-role.kubernetes.io/control-plane
|
|
- effect: NoExecute
|
|
key: node-role.kubernetes.io/control-plane
|
|
|
|
# Run as DaemonSet on all nodes
|
|
daemonset:
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
|
|
# Priority class
|
|
priorityClassName: ""
|
|
|
|
# Extra environment variables
|
|
extraEnvVars: []
|
|
|
|
# Extra volumes
|
|
extraVolumes: []
|
|
extraVolumeMounts: []
|