WIP: Integrating the new k8s-metacollector + k8smeta plugin with falco 0.36.2

.github/workflows/test.yml

@@ -14,6 +14,8 @@ jobs:
 
       - name: Set up Helm
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: '3.10.3'
 
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
@@ -55,3 +57,28 @@ jobs:
       - name: Run chart-testing (install)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct install --config ct.yaml
+
+  go-unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: '3.10.3'
+
+      - name: Update repo deps
+        run:  helm dependency update ./charts/falco
+
+      - name: Setup Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: '1.21'
+          check-latest: true
+
+      - name: Falco unit tests
+        run: go test -cover ./charts/falco/...

charts/falco/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: falco
-version: 3.8.7
+version: 3.8.8
 appVersion: "0.36.2"
 description: Falco
 keywords:
@@ -22,3 +22,7 @@ dependencies:
     version: "0.7.11"
     condition: falcosidekick.enabled
     repository: https://falcosecurity.github.io/charts
+  - name: k8s-metacollector
+    version: 0.1.1
+    repository: https://falcosecurity.github.io/charts
+    condition: collectors.kubernetes.enabled

charts/falco/templates/_helpers.tpl

@@ -318,4 +318,56 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
   {{- if .Values.falcoctl.artifact.follow.env }}
   {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.follow.env "context" $) | nindent 4 }}
   {{- end }}
+{{- end -}}
+
+
+{{/*
+ Build configuration for k8smeta plugin and update the relevant variables.
+ * The configuration that needs to be built up is the initconfig section:
+    init_config:
+     collectorPort: 0
+     collectorHostname: ""
+     nodename: ""
+    The falco chart exposes this configuriotino through two variable:
+       * collectors.kubenetetes.collectorHostname;
+       * collectors.kubernetes.collectorPort;
+    If those two variable are not set, then we take those values from the k8smetacollector subchart.
+    The hostname is built using the name of the service that exposes the collector endpoints and the
+    port is directly taken form the service's port that exposes the gRPC endpoint.
+    We reuse the helpers from the k8smetacollector subchart, by passing down the variables. There is a
+    hardcoded values that is the chart name for the k8s-metacollector chart.
+
+ * The falcoctl configuration is updated to allow  plugin artifacts to be installed. The refs in the install
+   section are updated by adding the reference for the k8s meta plugin that needs to be installed.
+ NOTE: It seems that the named templates run during the validation process. And then again during the
+ render fase. In our case we are setting global variable that persist during the various phases.
+ We need to make the helper idempotent.
+*/}}
+{{- define "k8smeta.configuration" -}}
+{{- if .Values.collectors.kubernetes.enabled -}}
+{{- $hostname := "" -}}
+{{- if .Values.collectors.kubernetes.collectorHostname -}}
+{{- $hostname = .Values.collectors.kubernetes.collectorHostname -}}
+{{- else -}}
+{{- $collectorContext := (dict "Release" .Release "Values" (index .Values "k8s-metacollector") "Chart" (dict "Name" "k8s-metacollector")) -}}
+{{- $hostname = printf "%s.%s.svc" (include "k8s-metacollector.fullname" $collectorContext) (include "k8s-metacollector.namespace" $collectorContext) -}}
+{{- end -}}
+{{- $hasConfig := false -}}
+{{- range .Values.falco.plugins -}}
+{{- if eq (get . "name") "k8smeta" -}}
+{{ $hasConfig = true -}}
+{{- end -}}
+{{- end -}}
+{{- if not $hasConfig -}}
+{{- $listenPort := default (index .Values "k8s-metacollector" "service" "ports" "broker-grpc" "port") .Values.collectors.kubernetes.collectorPort -}}
+{{- $listenPort = int $listenPort -}}
+{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodename" "${FALCO_K8S_NODE_NAME}") -}}
+{{- $newConfig := append .Values.falco.plugins $pluginConfig -}}
+{{- $_ := set .Values.falco "plugins" ($newConfig | uniq) -}}
+{{- $loadedPlugins := append .Values.falco.load_plugins "k8smeta" -}}
+{{- $_ = set .Values.falco "load_plugins" ($loadedPlugins | uniq) -}}
+{{- end -}}
+{{- $_ := set .Values.falcoctl.config.artifact.install "refs" ((append .Values.falcoctl.config.artifact.install.refs .Values.collectors.kubernetes.pluginRef) | uniq)}}
+{{- $_ = set .Values.falcoctl.config.artifact "allowedTypes" ((append .Values.falcoctl.config.artifact.allowedTypes "plugin") | uniq)}}
+{{- end -}}
 {{- end -}}

charts/falco/templates/configmap.yaml

@@ -8,4 +8,5 @@ metadata:
 data:
   falco.yaml: |-
     {{- include "falco.falcosidekickConfig" . }}
+    {{- include "k8smeta.configuration" . -}}
     {{- toYaml .Values.falco | nindent 4 }}

charts/falco/templates/falcoctl-configmap.yaml

@@ -8,5 +8,6 @@ metadata:
     {{- include "falco.labels" . | nindent 4 }}
 data:
   falcoctl.yaml: |-
+    {{- include "k8smeta.configuration" . -}}
     {{- toYaml .Values.falcoctl.config | nindent 4 }}
 {{- end }}

charts/falco/templates/pod-template.tpl

@@ -16,7 +16,6 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  serviceAccountName: {{ include "falco.serviceAccountName" . }}
   {{- with .Values.podSecurityContext }}
   securityContext:
     {{- toYaml . | nindent 4}}
@@ -80,16 +79,6 @@ spec:
         - --cri
         - /run/crio/crio.sock
         {{- end }}
-        {{- if .kubernetes.enabled }}
-        - -K
-        - {{ .kubernetes.apiAuth }}
-        - -k
-        - {{ .kubernetes.apiUrl }}
-        {{- if .kubernetes.enableNodeFilter }}
-        - --k8s-node
-        - "$(FALCO_K8S_NODE_NAME)"
-        {{- end }}
-        {{- end }}
         - -pk
         {{- end }}
         {{- end }}