security/falco/helm-values.yaml

# Falco Helm Values
# Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco

# Driver configuration - use modern_ebpf (no compilation needed)
driver:
  enabled: true
  kind: modern_ebpf  # Uses modern eBPF features, no driver compilation needed

# Image configuration - use Falco 0.40.0 for kernel 6.14 support
image:
  registry: docker.io
  repository: falcosecurity/falco
  tag: 0.40.0

# Resource requests
resources:
  requests:
    cpu: 49m
    memory: 263Mi
  limits:
    cpu: null  # Disable chart default (1 core)
    memory: 263Mi

# Falco configuration
falco:
  # Enable JSON output for better parsing
  json_output: true
  json_include_output_property: true

  # Log to stdout
  log_stderr: true
  log_syslog: false
  log_level: info

  # Performance tuning
  buffered_outputs: true

  # Rate limiting - reduce duplicate alerts
  outputs_rate: 1        # Max 1 alert per second per rule
  outputs_max_burst: 10  # Allow burst of 10 alerts

  # Rules configuration
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/rules.d

  # Load default rules
  load_plugins: []

# Custom rules (add to this section)
customRules:
  custom-rules.yaml: |-
    # Custom Falco Rules for your cluster
    # Optimized to reduce noise from trivy, postgres, minio, vault, etc.

    # Macro for known safe processes
    - macro: known_safe_processes
      condition: >
        proc.name in (sh, bash, node, python, java, nginx, postgres,
                      trivy, minio, vault, containerd-shim, runc,
                      pidof, cat, ls, grep, find, head, tail,
                      kubectl, helm, git, curl, wget)

    # Macro for known safe container images
    - macro: known_safe_images
      condition: >
        (container.image.repository contains "trivy" or
         container.image.repository contains "aquasec" or
         container.image.repository contains "postgres" or
         container.image.repository contains "minio" or
         container.image.repository contains "vault" or
         container.image.repository contains "falco")

    - rule: Unauthorized Process in Container
      desc: Detect unexpected processes in containers
      condition: >
        spawned_process and container and
        not known_safe_processes and
        not known_safe_images
      output: >
        Unauthorized process started in container
        (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
      priority: WARNING
      tags: [container, process]

    - rule: Sensitive File Access
      desc: Detect access to sensitive files (excluding /etc/passwd for normal lookups)
      condition: >
        open_read and container and
        fd.name in (/etc/shadow, /root/.ssh/id_rsa, /root/.ssh/authorized_keys) and
        not known_safe_images
      output: >
        Sensitive file accessed
        (user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
      priority: CRITICAL
      tags: [file, security]

    # Disabled: Too noisy, causes excessive events
    # - rule: Container Drift Detection
    #   desc: Detect file modifications in containers
    #   condition: ...
    #   Reason: trivy, postgres, minio constantly write files

# Enable Prometheus metrics
metrics:
  enabled: true

# Service Monitor for Prometheus Operator
serviceMonitor:
  create: true
  interval: 30s
  labels:
    release: prometheus

# Grafana dashboard
grafanaDashboard:
  enabled: false

# Falcosidekick integration (for forwarding alerts)
falcosidekick:
  enabled: true
  fullfqdn: false
  replicaCount: 1

  resources:
    requests:
      cpu: 10m
      memory: 128Mi
    limits:
      memory: 128Mi

  config:
    # Output to stdout/logs
    debug: false

    # Loki integration - send events directly to Loki
    loki:
      hostport: "http://loki.loki.svc.cluster.local:3100"
      minimumpriority: ""  # Send all priorities
      format: "json"  # JSON format for easier parsing in Grafana

    # Slack integration (optional)
    # slack:
    #   webhookurl: ""
    #   minimumpriority: "warning"

    # Discord integration (optional)
    # discord:
    #   webhookurl: ""
    #   minimumpriority: "warning"

  # Falcosidekick Web UI - disabled, using Grafana dashboard instead
  webui:
    enabled: false

  # Affinity - Soft Anti-Affinity to spread pods across nodes
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          podAffinityTerm:
            labelSelector:
              matchLabels:
                app.kubernetes.io/name: falcosidekick
            topologyKey: kubernetes.io/hostname

# RBAC
rbac:
  create: true

# Service Account
serviceAccount:
  create: true
  name: falco

# Node selector to run on all nodes
nodeSelector: {}

# Tolerations to run on all nodes including control-plane
tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane

# Run as DaemonSet on all nodes
daemonset:
  updateStrategy:
    type: RollingUpdate

# Priority class
priorityClassName: ""

# Extra environment variables
extraEnvVars: []

# Extra volumes
extraVolumes: []
extraVolumeMounts: []