security/falco/argocd/falco.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: falco
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default

  source:
    # Helm chart from Falcosecurity repository
    repoURL: https://falcosecurity.github.io/charts
    chart: falco
    targetRevision: 4.20.0
    helm:
      values: |
        # Driver configuration - use modern_ebpf
        driver:
          enabled: true
          kind: modern_ebpf

        # Image configuration - use Falco 0.40.0 for kernel 6.14 support
        image:
          registry: docker.io
          repository: falcosecurity/falco
          tag: 0.40.0

        # Resource requests
        resources:
          requests:
            cpu: 100m
            memory: 256Mi
          limits:
            cpu: 1000m
            memory: 1Gi

        # Falco configuration
        falco:
          json_output: true
          json_include_output_property: true
          log_stderr: true
          log_syslog: false
          log_level: info
          rules_files:
            - /etc/falco/falco_rules.yaml
            - /etc/falco/falco_rules.local.yaml

        # Metrics
        metrics:
          enabled: true

        # Service Monitor
        serviceMonitor:
          enabled: true
          interval: 30s

        # Falcosidekick
        falcosidekick:
          enabled: true
          config:
            debug: false
          webui:
            enabled: true
            replicaCount: 1
            resources:
              requests:
                cpu: 50m
                memory: 128Mi

        # RBAC
        rbac:
          create: true

        serviceAccount:
          create: true
          name: falco

        tolerations:
          - effect: NoSchedule
            key: node-role.kubernetes.io/master
          - effect: NoSchedule
            key: node-role.kubernetes.io/control-plane

  destination:
    server: https://kubernetes.default.svc
    namespace: falco

  syncPolicy:
    automated:
      prune: true
      selfHeal: false  # Disabled to prevent constant sync due to StatefulSet PVC retention policy
      allowEmpty: false

    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground
      - PruneLast=true
      - ServerSideApply=true
      - RespectIgnoreDifferences=true
      - ApplyOutOfSyncOnly=true

    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m

  # Ignore StatefulSet differences
  # persistentVolumeClaimRetentionPolicy is set by Kubernetes automatically
  ignoreDifferences:
    - group: apps
      kind: StatefulSet
      name: falco-falcosidekick-ui-redis
      jsonPointers:
        - /spec/persistentVolumeClaimRetentionPolicy
      jqPathExpressions:
        - .spec.persistentVolumeClaimRetentionPolicy
    - group: apps
      kind: StatefulSet
      managedFieldsManagers:
        - kube-controller-manager

  revisionHistoryLimit: 10