Mayne0213
76c5fd8343
- Falco chart uses 'serviceMonitor.create' not 'enabled' - Add release: prometheus label for Prometheus discovery
224 lines
5.5 KiB
YAML
224 lines
5.5 KiB
YAML
# Falco Helm Values
|
|
# Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco
|
|
|
|
# Driver configuration - use modern_ebpf (no compilation needed)
|
|
driver:
|
|
enabled: true
|
|
kind: modern_ebpf # Uses modern eBPF features, no driver compilation needed
|
|
|
|
# Image configuration - use Falco 0.40.0 for kernel 6.14 support
|
|
image:
|
|
registry: docker.io
|
|
repository: falcosecurity/falco
|
|
tag: 0.40.0
|
|
|
|
# Resource requests
|
|
resources:
|
|
requests:
|
|
cpu: 30m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: null # Remove CPU limit to prevent throttling (chart default is 1 core)
|
|
memory: 512Mi # Prevent OOM
|
|
|
|
# Falco configuration
|
|
falco:
|
|
# Enable JSON output for better parsing
|
|
json_output: true
|
|
json_include_output_property: true
|
|
|
|
# Log to stdout
|
|
log_stderr: true
|
|
log_syslog: false
|
|
log_level: info
|
|
|
|
# Performance tuning
|
|
buffered_outputs: true
|
|
|
|
# Rules configuration
|
|
rules_files:
|
|
- /etc/falco/falco_rules.yaml
|
|
- /etc/falco/falco_rules.local.yaml
|
|
- /etc/falco/rules.d
|
|
|
|
# Load default rules
|
|
load_plugins: []
|
|
|
|
# Custom rules (add to this section)
|
|
customRules:
|
|
custom-rules.yaml: |-
|
|
# Custom Falco Rules for your cluster
|
|
# Optimized to reduce noise from trivy, postgres, minio, vault, etc.
|
|
|
|
# Macro for known safe processes
|
|
- macro: known_safe_processes
|
|
condition: >
|
|
proc.name in (sh, bash, node, python, java, nginx, postgres,
|
|
trivy, minio, vault, containerd-shim, runc,
|
|
pidof, cat, ls, grep, find, head, tail,
|
|
kubectl, helm, git, curl, wget)
|
|
|
|
# Macro for known safe container images
|
|
- macro: known_safe_images
|
|
condition: >
|
|
(container.image.repository contains "trivy" or
|
|
container.image.repository contains "aquasec" or
|
|
container.image.repository contains "postgres" or
|
|
container.image.repository contains "minio" or
|
|
container.image.repository contains "vault" or
|
|
container.image.repository contains "falco")
|
|
|
|
- rule: Unauthorized Process in Container
|
|
desc: Detect unexpected processes in containers
|
|
condition: >
|
|
spawned_process and container and
|
|
not known_safe_processes and
|
|
not known_safe_images
|
|
output: >
|
|
Unauthorized process started in container
|
|
(user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
|
|
priority: WARNING
|
|
tags: [container, process]
|
|
|
|
- rule: Sensitive File Access
|
|
desc: Detect access to sensitive files (excluding /etc/passwd for normal lookups)
|
|
condition: >
|
|
open_read and container and
|
|
fd.name in (/etc/shadow, /root/.ssh/id_rsa, /root/.ssh/authorized_keys) and
|
|
not known_safe_images
|
|
output: >
|
|
Sensitive file accessed
|
|
(user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
|
|
priority: CRITICAL
|
|
tags: [file, security]
|
|
|
|
# Disabled: Too noisy, causes excessive events
|
|
# - rule: Container Drift Detection
|
|
# desc: Detect file modifications in containers
|
|
# condition: ...
|
|
# Reason: trivy, postgres, minio constantly write files
|
|
|
|
# Enable Prometheus metrics
|
|
metrics:
|
|
enabled: true
|
|
|
|
# Service Monitor for Prometheus Operator
|
|
serviceMonitor:
|
|
create: true
|
|
interval: 30s
|
|
labels:
|
|
release: prometheus
|
|
|
|
# Grafana dashboard
|
|
grafanaDashboard:
|
|
enabled: false
|
|
|
|
# Falcosidekick integration (for forwarding alerts)
|
|
falcosidekick:
|
|
enabled: true
|
|
fullfqdn: false
|
|
replicaCount: 1
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 128Mi
|
|
limits:
|
|
memory: 512Mi # Increased to prevent OOM
|
|
|
|
config:
|
|
# Output to stdout/logs
|
|
debug: false
|
|
|
|
# Slack integration (optional)
|
|
# slack:
|
|
# webhookurl: ""
|
|
# minimumpriority: "warning"
|
|
|
|
# Discord integration (optional)
|
|
# discord:
|
|
# webhookurl: ""
|
|
# minimumpriority: "warning"
|
|
|
|
# Falcosidekick Web UI
|
|
webui:
|
|
enabled: true
|
|
replicaCount: 1
|
|
disableauth: true # Disable basic auth - using Authelia SSO
|
|
ttl: 21600 # 6 hours - events older than this are auto-deleted
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 2802
|
|
|
|
ingress:
|
|
enabled: false
|
|
# annotations:
|
|
# cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
# hosts:
|
|
# - host: falco0213.kro.kr
|
|
# paths:
|
|
# - path: /
|
|
# pathType: Prefix
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 30m
|
|
memory: 128Mi
|
|
limits:
|
|
# cpu: removed to prevent throttling
|
|
memory: 512Mi
|
|
|
|
redis:
|
|
storageEnabled: true
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 256Mi
|
|
limits:
|
|
memory: 1Gi
|
|
customConfig:
|
|
- maxmemory 800mb
|
|
- maxmemory-policy allkeys-lru
|
|
|
|
# Authentication disabled - using Authelia SSO
|
|
# existingSecret: falco-ui-secret
|
|
|
|
# RBAC
|
|
rbac:
|
|
create: true
|
|
|
|
# Service Account
|
|
serviceAccount:
|
|
create: true
|
|
name: falco
|
|
|
|
# Node selector to run on all nodes
|
|
nodeSelector: {}
|
|
|
|
# Tolerations to run on all nodes including masters
|
|
tolerations:
|
|
- effect: NoSchedule
|
|
key: node-role.kubernetes.io/master
|
|
- effect: NoExecute
|
|
key: node-role.kubernetes.io/master
|
|
- effect: NoSchedule
|
|
key: node-role.kubernetes.io/control-plane
|
|
- effect: NoExecute
|
|
key: node-role.kubernetes.io/control-plane
|
|
|
|
# Run as DaemonSet on all nodes
|
|
daemonset:
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
|
|
# Priority class
|
|
priorityClassName: ""
|
|
|
|
# Extra environment variables
|
|
extraEnvVars: []
|
|
|
|
# Extra volumes
|
|
extraVolumes: []
|
|
extraVolumeMounts: []
|