update(falco): chart for falco 0.37.0

.github/workflows/test.yml

@@ -14,6 +14,8 @@ jobs:
 
       - name: Set up Helm
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: '3.10.3'
 
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
@@ -78,5 +80,8 @@ jobs:
           go-version: '1.21'
           check-latest: true
 
-      - name: k8s-metacollector unit tests
+      - name: K8s-metacollector unit tests
         run: go test ./charts/k8s-metacollector/tests/unit/...
+
+      - name: Falco unit tests
+        run: go test ./charts/falco/tests/unit/...

charts/falco/BREAKING-CHANGES.md

@@ -1,11 +1,45 @@
 # Helm chart Breaking Changes
-
+ - [4.0.0](#400)
+   - [Drivers](#drivers)
+   - [K8s Collector](#k8s-collector)
+   - [Plugins](#plugins)
  - [3.0.0](#300)
     - [Falcoctl](#falcoctl-support)
     - [Rulesfiles](#rulesfiles)
     - [Falco Images](#drop-support-for-falcosecurityfalco-image)
     - [Driver Loader Init Container](#driver-loader-simplified-logic)
 
+## 4.0.0
+### Drivers
+The `driver` section has been reworked based on the following PR: https://github.com/falcosecurity/falco/pull/2413. 
+It is an attempt to uniform how a driver is configured in Falco. 
+It also groups the configuration based on the driver type.
+Some of the drivers has been renamed:
+* kernel modules has been renamed from `module` to `kmod`;
+* the ebpf probe has not been changed. It's still `ebpf`;
+* the modern ebpf probe has been renamed from `modern-bpf` to `modern_ebpf`.
+
+The `gvisor` configuration has been moved under the `driver` section since it is considered a driver on its own.
+
+### K8s Collector
+The old Kubernetes client has been removed in Falco 0.37.0. For more info checkout this issue: https://github.com/falcosecurity/falco/issues/2973#issuecomment-1877803422.
+The [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) and [k8s-meta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) substitute
+the old implementation. 
+
+The following resources needed by Falco to connect to the API server are no longer needed and has been removed from the chart:
+* service account;
+* cluster role;
+* cluster role binding.
+
+When the `collectors.kubernetes` is enabled the chart deploys the [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) and configures Falco to load the
+[k8s-meta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin.
+
+By default, the `collectors.kubernetes.enabled` is off; for more info, see the following issue: https://github.com/falcosecurity/falco/issues/2995.
+
+### Plugins
+The Falco docker image does not ship anymore the plugins: https://github.com/falcosecurity/falco/pull/2997. 
+For this reason, the `resolveDeps` is now enabled in relevant values files (ie. `values-k8saudit.yaml`). 
+When installing `rulesfile` artifacts `falcoctl` will try to resolve its dependencies and install the required plugins.
 
 ## 3.0.0
 The new chart deploys new *k8s* resources and new configuration variables have been added to the `values.yaml` file. People upgrading the chart from `v2.x.y` have to port their configuration variables to the new `values.yaml` file used by the `v3.0.0` chart.

charts/falco/CHANGELOG.md

@@ -3,6 +3,17 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.0.0
+The new chart introduces some breaking changes. For folks upgrading Falco please see the BREAKING-CHANGES.md file.
+
+* Uniform driver names and configuration to the Falco one: https://github.com/falcosecurity/falco/pull/2413;
+* Fix usernames and groupnames resolution by mounting the `/etc` filesystem;
+* Drop old kubernetes collector related resources;
+* Introduce the new k8s-metacollector and k8smeta plugin (experimental);
+* Enable the dependency resolver for artifacts in falcoctl since the Falco image does not ship anymore the plugins;
+* Bump Falco to 0.37.0;
+* Bump falcoctl to 0.7.0.
+
 ## v3.8.7
 
 *  Upgrade falcosidekick chart to `v0.7.11`.

charts/falco/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: falco
-version: 3.8.7
-appVersion: "0.36.2"
+version: 4.0.0
+appVersion: "0.37.0"
 description: Falco
 keywords:
   - monitoring
@@ -22,3 +22,7 @@ dependencies:
     version: "0.7.11"
     condition: falcosidekick.enabled
     repository: https://falcosecurity.github.io/charts
+  - name: k8s-metacollector
+    version: 0.1.*
+    repository: https://falcosecurity.github.io/charts
+    condition: collectors.kubernetes.enabled

charts/falco/README.gotmpl

@@ -87,12 +87,13 @@ Note that **the driver is not required when using plugins**.
 gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system. For more information please consult the [official docs](https://gvisor.dev/docs/). In version `0.32.1`, Falco first introduced support for gVisor by leveraging the stream of system call information coming from gVisor.
 Falco requires the version of [runsc](https://gvisor.dev/docs/user_guide/install/) to be equal to or above `20220704.0`. The following snippet shows the gVisor configuration variables found in `values.yaml`:
 ```yaml
-gvisor:
-  enabled: true
-  runsc:
-    path: /home/containerd/usr/local/sbin
-    root: /run/containerd/runsc
-    config: /run/containerd/runsc/config.toml
+driver:
+  gvisor:
+    enabled: true
+    runsc:
+      path: /home/containerd/usr/local/sbin
+      root: /run/containerd/runsc
+      config: /run/containerd/runsc/config.toml
 ```
 Falco uses the [runsc](https://gvisor.dev/docs/user_guide/install/) binary to interact with sandboxed containers. The following variables need to be set:
 * `runsc.path`: absolute path of the `runsc` binary in the k8s nodes;
@@ -142,20 +143,21 @@ When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. B
 
 To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart:
 
-```yaml
-driver:
-  enabled: true
-  kind: module
+```bash
+helm install falco falcosecurity/falco \
+    --create-namespace \
+    --namespace falco
 ```
 
 **eBPF probe**
 
 To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet:
 
-```yaml
-driver:
-  enabled: true
-  kind: ebpf
+```bash
+helm install falco falcosecurity/falco \
+    --create-namespace \
+    --namespace falco \
+    --set driver.kind=ebpf
 ```
 
 There are other configurations related to the eBPF probe, for more info please check the `values.yaml` file. After you have made your changes to the configuration file you just need to run:
@@ -168,10 +170,11 @@ helm install falco falcosecurity/falco --namespace "your-custom-name-space" --cr
 
 To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern-bpf` as shown in the following snippet:
 
-```yaml
-driver:
-  enabled: true
-  kind: modern-bpf
+```bash
+helm install falco falcosecurity/falco \
+    --create-namespace \
+    --namespace falco \
+    --set driver.kind=modern_ebpf
 ```
 
 #### Deployment
@@ -211,6 +214,54 @@ A scenario when we need the `-p (--previous)` flag is when we have a restart of
 ### Enabling real time logs
 By default in Falco the output is buffered. When live streaming logs we will notice delays between the logs output (rules triggering) and the event happening.
 In order to enable the logs to be emitted without delays you need to set `.Values.tty=true` in `values.yaml` file.
+
+## K8s-metacollector
+Starting from Falco `0.37` the old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) has been removed.
+A new component named [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) replaces it.
+The *k8s-metacollector* is a self-contained module that can be deployed within a Kubernetes cluster to perform the task of gathering metadata
+from various Kubernetes resources and subsequently transmitting this collected metadata to designated subscribers.
+
+Kubernetes' resources for which metadata will be collected and sent to Falco:
+* pods;
+* namespaces;
+* deployments;
+* replicationcontrollers;
+* replicasets;
+* services;
+
+### Plugin
+Since the *k8s-metacollector* is standalone, deployed in the cluster as a deployment, Falco instances need to connect to the component
+in order to retrieve the `metadata`. Here it comes the [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin.
+The plugin gathers details about Kubernetes resources from the *k8s-metacollector*. It then stores this information
+in tables and provides access to Falco upon request. The plugin specifically acquires data for the node where the
+associated Falco instance is deployed, resulting in node-level granularity.
+
+### Exported Fields: Old and New
+The old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) used to populate the
+[k8s](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s) fields. The **k8s** field class is still
+available in Falco, for compatibility reasons, but most of the fields will return `N/A`. The following fields are still
+usable and will return meaningful data when the `container runtime collectors` are enabled:
+* k8s.pod.name;
+* k8s.pod.id;
+* k8s.pod.label;
+* k8s.pod.labels;
+* k8s.pod.ip;
+* k8s.pod.cni.json;
+* k8s.pod.namespace.name;
+
+The [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin exports a whole new
+[field class]https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta#supported-fields. Note that the new
+`k8smeta.*` fields are usable only when the **k8smeta** plugin is loaded in Falco.
+
+### Enabling the k8s-metacollector
+The following command will deploy Falco + k8s-metacollector + k8smeta:
+```bash
+helm install falco falcosecurity/falco \
+    --namespace falco \
+    --create-namespace \
+    --set collectors.kubernetes.enabled=true
+```
+
 ## Loading custom rules
 
 Falco ships with a nice default ruleset. It is a good starting point but sooner or later, we are going to need to add custom rules which fit our needs.

charts/falco/templates/NOTES.txt

@@ -22,8 +22,23 @@ You can easily forward Falco events to Slack, Kafka, AWS Lambda and more with fa
 Full list of outputs: https://github.com/falcosecurity/charts/tree/master/falcosidekick.
 You can enable its deployment with `--set falcosidekick.enabled=true` or in your values.yaml. 
 See: https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml for configuration values.
+
 {{- end}}
 
+
+{{- if  (has .Values.driver.kind (list "module" "modern-bpf")) -}}
+{{- println }}
+WARNING(drivers):
+{{- printf "\nThe driver kind: \"%s\" is an alias and might be removed in the future.\n" .Values.driver.kind -}}
+{{- $driver := "" -}}
+{{- if eq .Values.driver.kind "module" -}}
+{{- $driver = "kmod" -}}
+{{- else if eq .Values.driver.kind "modern-bpf" -}}
+{{- $driver = "modern_ebpf" -}}
+{{- end -}}
+{{- printf "Please use \"%s\" instead." $driver}}
+{{- end -}}
+
 {{- if and (not (empty .Values.falco.load_plugins)) (or .Values.falcoctl.artifact.follow.enabled .Values.falcoctl.artifact.install.enabled) }}
 
 WARNING:

charts/falco/templates/_helpers.tpl

@@ -185,7 +185,7 @@ we just disable the sycall source.
 */}}
 {{- define "falco.configSyscallSource" -}}
 {{- $userspaceDisabled := true -}}
-{{- $gvisorDisabled := (not .Values.gvisor.enabled) -}}
+{{- $gvisorDisabled := (ne .Values.driver.kind  "gvisor") -}}
 {{- $driverDisabled :=  (not .Values.driver.enabled) -}}
 {{- if or (has "-u" .Values.extra.args) (has "--userspace" .Values.extra.args) -}}
 {{- $userspaceDisabled = false -}}
@@ -214,8 +214,8 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
       set -o nounset
       set -o pipefail
 
-      root={{ .Values.gvisor.runsc.root }}
-      config={{ .Values.gvisor.runsc.config }}
+      root={{ .Values.driver.gvisor.runsc.root }}
+      config={{ .Values.driver.gvisor.runsc.config }}
 
       echo "* Configuring Falco+gVisor integration...".
       # Check if gVisor is configured on the node.
@@ -240,12 +240,12 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
       echo "* Falco+gVisor correctly configured."
       exit 0
   volumeMounts:
-    - mountPath: /host{{ .Values.gvisor.runsc.path }}
+    - mountPath: /host{{ .Values.driver.gvisor.runsc.path }}
       name: runsc-path
       readOnly: true
-    - mountPath: /host{{ .Values.gvisor.runsc.root }}
+    - mountPath: /host{{ .Values.driver.gvisor.runsc.root }}
       name: runsc-root
-    - mountPath: /host{{ .Values.gvisor.runsc.config }}
+    - mountPath: /host{{ .Values.driver.gvisor.runsc.config }}
       name: runsc-config
     - mountPath: /gvisor-config
       name: falco-gvisor-config
@@ -318,4 +318,100 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
   {{- if .Values.falcoctl.artifact.follow.env }}
   {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.follow.env "context" $) | nindent 4 }}
   {{- end }}
+{{- end -}}
+
+
+{{/*
+ Build configuration for k8smeta plugin and update the relevant variables.
+ * The configuration that needs to be built up is the initconfig section:
+    init_config:
+     collectorPort: 0
+     collectorHostname: ""
+     nodeName: ""
+    The falco chart exposes this configuriotino through two variable:
+       * collectors.kubenetetes.collectorHostname;
+       * collectors.kubernetes.collectorPort;
+    If those two variable are not set, then we take those values from the k8smetacollector subchart.
+    The hostname is built using the name of the service that exposes the collector endpoints and the
+    port is directly taken form the service's port that exposes the gRPC endpoint.
+    We reuse the helpers from the k8smetacollector subchart, by passing down the variables. There is a
+    hardcoded values that is the chart name for the k8s-metacollector chart.
+
+ * The falcoctl configuration is updated to allow  plugin artifacts to be installed. The refs in the install
+   section are updated by adding the reference for the k8s meta plugin that needs to be installed.
+ NOTE: It seems that the named templates run during the validation process. And then again during the
+ render fase. In our case we are setting global variable that persist during the various phases.
+ We need to make the helper idempotent.
+*/}}
+{{- define "k8smeta.configuration" -}}
+{{- if and .Values.collectors.kubernetes.enabled .Values.driver.enabled -}}
+{{- $hostname := "" -}}
+{{- if .Values.collectors.kubernetes.collectorHostname -}}
+{{- $hostname = .Values.collectors.kubernetes.collectorHostname -}}
+{{- else -}}
+{{- $collectorContext := (dict "Release" .Release "Values" (index .Values "k8s-metacollector") "Chart" (dict "Name" "k8s-metacollector")) -}}
+{{- $hostname = printf "%s.%s.svc" (include "k8s-metacollector.fullname" $collectorContext) (include "k8s-metacollector.namespace" $collectorContext) -}}
+{{- end -}}
+{{- $hasConfig := false -}}
+{{- range .Values.falco.plugins -}}
+{{- if eq (get . "name") "k8smeta" -}}
+{{ $hasConfig = true -}}
+{{- end -}}
+{{- end -}}
+{{- if not $hasConfig -}}
+{{- $listenPort := default (index .Values "k8s-metacollector" "service" "ports" "broker-grpc" "port") .Values.collectors.kubernetes.collectorPort -}}
+{{- $listenPort = int $listenPort -}}
+{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodeName" "${FALCO_K8S_NODE_NAME}") -}}
+{{- $newConfig := append .Values.falco.plugins $pluginConfig -}}
+{{- $_ := set .Values.falco "plugins" ($newConfig | uniq) -}}
+{{- $loadedPlugins := append .Values.falco.load_plugins "k8smeta" -}}
+{{- $_ = set .Values.falco "load_plugins" ($loadedPlugins | uniq) -}}
+{{- end -}}
+{{- $_ := set .Values.falcoctl.config.artifact.install "refs" ((append .Values.falcoctl.config.artifact.install.refs .Values.collectors.kubernetes.pluginRef) | uniq)}}
+{{- $_ = set .Values.falcoctl.config.artifact "allowedTypes" ((append .Values.falcoctl.config.artifact.allowedTypes "plugin") | uniq)}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Based on the user input it populates the driver configuration in the falco config map.
+*/}}
+{{- define "falco.engineConfiguration" -}}
+{{- if .Values.driver.enabled -}}
+{{- $supportedDrivers := list "kmod" "ebpf" "modern_ebpf" "gvisor" -}}
+{{- $aliasDrivers := list "module" "modern-bpf" -}}
+{{- if and (not (has .Values.driver.kind $supportedDrivers)) (not (has .Values.driver.kind $aliasDrivers)) -}}
+{{- fail (printf "unsupported driver kind: \"%s\". Supported drivers %s, alias %s" .Values.driver.kind $supportedDrivers $aliasDrivers) -}}
+{{- end -}}
+{{- if or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") -}}
+{{- $kmodConfig := dict "kind" "kmod" "kmod" (dict "buf_size_preset" .Values.driver.kmod.bufSizePreset "drop_failed_exit" .Values.driver.kmod.dropFailedExit) -}}
+{{- $_ := set .Values.falco "engine" $kmodConfig -}}
+{{- else if eq .Values.driver.kind "ebpf" -}}
+{{- $ebpfConfig := dict "kind" "ebpf" "ebpf" (dict "buf_size_preset" .Values.driver.ebpf.bufSizePreset "drop_failed_exit" .Values.driver.ebpf.dropFailedExit "probe" .Values.driver.ebpf.path) -}}
+{{- $_ := set .Values.falco "engine" $ebpfConfig -}}
+{{- else if or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf") -}}
+{{- $ebpfConfig := dict "kind" "modern_ebpf" "modern_ebpf" (dict "buf_size_preset" .Values.driver.modernEbpf.bufSizePreset "drop_failed_exit" .Values.driver.modernEbpf.dropFailedExit "cpus_for_each_buffer" .Values.driver.modernEbpf.cpusForEachBuffer) -}}
+{{- $_ := set .Values.falco "engine" $ebpfConfig -}}
+{{- else if eq .Values.driver.kind "gvisor" -}}
+{{- $root := printf "/host%s/k8s.io" .Values.driver.gvisor.runsc.root -}}
+{{- $gvisorConfig := dict "kind" "gvisor" "gvisor" (dict "config" "/gvisor-config/pod-init.json" "root" $root) -}}
+{{- $_ := set .Values.falco "engine" $gvisorConfig -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+It returns "true" if the driver loader has to be enabled, otherwise false.
+*/}}
+{{- define "driverLoader.enabled" -}}
+{{- if or
+        (eq .Values.driver.kind "modern_ebpf")
+        (eq .Values.driver.kind "modern-bpf")
+        (eq .Values.driver.kind "gvisor")
+        (not .Values.driver.enabled)
+        (not .Values.driver.loader.enabled)
+-}}
+false
+{{- else -}}
+true
+{{- end -}}
 {{- end -}}

charts/falco/templates/configmap.yaml

@@ -8,4 +8,6 @@ metadata:
 data:
   falco.yaml: |-
     {{- include "falco.falcosidekickConfig" . }}
+    {{- include "k8smeta.configuration" . -}}
+    {{- include "falco.engineConfiguration" . -}}
     {{- toYaml .Values.falco | nindent 4 }}

charts/falco/templates/falcoctl-configmap.yaml

@@ -8,5 +8,6 @@ metadata:
     {{- include "falco.labels" . | nindent 4 }}
 data:
   falcoctl.yaml: |-
+    {{- include "k8smeta.configuration" . -}}
     {{- toYaml .Values.falcoctl.config | nindent 4 }}
 {{- end }}

charts/falco/templates/pod-template.tpl

@@ -16,7 +16,6 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  serviceAccountName: {{ include "falco.serviceAccountName" . }}
   {{- with .Values.podSecurityContext }}
   securityContext:
     {{- toYaml . | nindent 4}}
@@ -46,7 +45,7 @@ spec:
   imagePullSecrets: 
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- if .Values.gvisor.enabled }}
+  {{- if eq .Values.driver.kind "gvisor" }}
   hostNetwork: true
   hostPID: true
   {{- end }}
@@ -60,15 +59,6 @@ spec:
         {{- include "falco.securityContext" . | nindent 8 }}
       args:
         - /usr/bin/falco
-        {{- if and .Values.driver.enabled (eq .Values.driver.kind "modern-bpf") }}
-        - --modern-bpf
-        {{- end }}
-        {{- if .Values.gvisor.enabled }}
-        - --gvisor-config
-        - /gvisor-config/pod-init.json
-        - --gvisor-root
-        - /host{{ .Values.gvisor.runsc.root }}/k8s.io
-        {{- end }}
         {{- include "falco.configSyscallSource" . | indent 8 }}
         {{- with .Values.collectors }}
         {{- if .enabled }}
@@ -80,16 +70,6 @@ spec:
         - --cri
         - /run/crio/crio.sock
         {{- end }}
-        {{- if .kubernetes.enabled }}
-        - -K
-        - {{ .kubernetes.apiAuth }}
-        - -k
-        - {{ .kubernetes.apiUrl }}
-        {{- if .kubernetes.enableNodeFilter }}
-        - --k8s-node
-        - "$(FALCO_K8S_NODE_NAME)"
-        {{- end }}
-        {{- end }}
         - -pk
         {{- end }}
         {{- end }}
@@ -101,10 +81,6 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-      {{- if and .Values.driver.enabled (eq .Values.driver.kind "ebpf") }}
-        - name: FALCO_BPF_PROBE
-          value: {{ .Values.driver.ebpf.path }}
-      {{- end }}
       {{- if .Values.extra.env }}
       {{- include "falco.renderTemplate" ( dict "value" .Values.extra.env "context" $) | nindent 8 }}
       {{- end }}
@@ -158,11 +134,13 @@ spec:
         - mountPath: /host/usr
           name: usr-fs
           readOnly: true
+        {{- end }}
+        {{- if .Values.driver.enabled }}
         - mountPath: /host/etc
           name: etc-fs
           readOnly: true
-        {{- end }}
-        {{- if and .Values.driver.enabled (eq .Values.driver.kind "module") }}
+        {{- end -}}
+        {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }}
         - mountPath: /host/dev
           name: dev-fs
           readOnly: true
@@ -210,13 +188,13 @@ spec:
         {{- with .Values.mounts.volumeMounts }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- if .Values.gvisor.enabled }}
+        {{- if eq .Values.driver.kind "gvisor" }}
         - mountPath: /usr/local/bin/runsc
           name: runsc-path
           readOnly: true
-        - mountPath: /host{{ .Values.gvisor.runsc.root }}
+        - mountPath: /host{{ .Values.driver.gvisor.runsc.root }}
           name: runsc-root
-        - mountPath: /host{{ .Values.gvisor.runsc.config }}
+        - mountPath: /host{{ .Values.driver.gvisor.runsc.config }}
           name: runsc-config
         - mountPath: /gvisor-config
           name: falco-gvisor-config
@@ -228,14 +206,12 @@ spec:
   {{- with .Values.extra.initContainers }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- if and .Values.gvisor.enabled }}
+  {{- if eq .Values.driver.kind "gvisor" }}
   {{- include "falco.gvisor.initContainer" . | nindent 4 }}
   {{- end }}
-  {{- if and .Values.driver.enabled (ne .Values.driver.kind "modern-bpf") }}
-  {{- if.Values.driver.loader.enabled }}
+  {{- if eq (include "driverLoader.enabled" .) "true" }}
     {{- include "falco.driverLoader.initContainer" . | nindent 4 }}
   {{- end }}
-  {{- end }}
   {{- if .Values.falcoctl.artifact.install.enabled }}
     {{- include "falcoctl.initContainer" . | nindent 4 }}
   {{- end }}
@@ -262,7 +238,7 @@ spec:
       hostPath:
         path: /etc
     {{- end }}
-    {{- if and .Values.driver.enabled (eq .Values.driver.kind "module") }}
+    {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }}
     - name: dev-fs
       hostPath:
         path: /dev
@@ -299,17 +275,17 @@ spec:
       hostPath:
         path: /proc
     {{- end }}
-    {{- if .Values.gvisor.enabled }}
+    {{- if eq .Values.driver.kind "gvisor" }}
     - name: runsc-path
       hostPath:
-        path: {{ .Values.gvisor.runsc.path }}/runsc
+        path: {{ .Values.driver.gvisor.runsc.path }}/runsc
         type: File
     - name: runsc-root
       hostPath:
-        path: {{ .Values.gvisor.runsc.root }}
+        path: {{ .Values.driver.gvisor.runsc.root }}
     - name: runsc-config
       hostPath:
-        path: {{ .Values.gvisor.runsc.config }}
+        path: {{ .Values.driver.gvisor.runsc.config }}
         type: File
     - name: falco-gvisor-config
       emptyDir: {}
@@ -359,18 +335,21 @@ spec:
 - name: {{ .Chart.Name }}-driver-loader
   image: {{ include "falco.driverLoader.image" . }}
   imagePullPolicy: {{ .Values.driver.loader.initContainer.image.pullPolicy }}
-  {{- with .Values.driver.loader.initContainer.args }}
   args:
+  {{- with .Values.driver.loader.initContainer.args }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
+  {{- if eq .Values.driver.kind "ebpf" }}
+    - ebpf
+   {{- end }}
   {{- with .Values.driver.loader.initContainer.resources }}
   resources:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   securityContext:
   {{- if .Values.driver.loader.initContainer.securityContext }}
     {{- toYaml .Values.driver.loader.initContainer.securityContext | nindent 4 }}
-  {{- else if eq .Values.driver.kind "module" }}
+  {{- else if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }}
     privileged: true
   {{- end }}
   volumeMounts:
@@ -391,10 +370,6 @@ spec:
       name: etc-fs
       readOnly: true
   env:
-  {{- if eq .Values.driver.kind "ebpf" }}
-    - name: FALCO_BPF_PROBE
-      value: {{ .Values.driver.ebpf.path }}
-  {{- end }}
   {{- if .Values.driver.loader.initContainer.env }}
   {{- include "falco.renderTemplate" ( dict "value" .Values.driver.loader.initContainer.env "context" $) | nindent 4 }}
   {{- end }}
@@ -403,7 +378,7 @@ spec:
 {{- define "falco.securityContext" -}}
 {{- $securityContext := dict -}}
 {{- if .Values.driver.enabled -}}
-  {{- if eq .Values.driver.kind "module" -}}
+  {{- if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) -}}
     {{- $securityContext := set $securityContext "privileged" true -}}
   {{- end -}}
   {{- if eq .Values.driver.kind "ebpf" -}}
@@ -413,8 +388,8 @@ spec:
       {{- $securityContext := set $securityContext "privileged" true -}}
     {{- end -}}
   {{- end -}}
-  {{- if eq .Values.driver.kind "modern-bpf" -}}
-    {{- if .Values.driver.modern_bpf.leastPrivileged -}}
+  {{- if (or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf")) -}}
+    {{- if .Values.driver.modernEbpf.leastPrivileged -}}
       {{- $securityContext := set $securityContext "capabilities" (dict "add" (list "BPF" "SYS_RESOURCE" "PERFMON" "SYS_PTRACE")) -}}
     {{- else -}}
       {{- $securityContext := set $securityContext "privileged" true -}}

charts/falco/tests/unit/consts.go

@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package unit
+
+const (
+	releaseName                  = "rendered-resources"
+	patternK8sMetacollectorFiles = `# Source: falco/charts/k8s-metacollector/templates/([^\n]+)`
+	k8sMetaPluginName            = "k8smeta"
+)

charts/falco/tests/unit/doc.go

@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package unit contains the unit tests for the Falco chart.
+package unit

charts/falco/tests/unit/driverConfig_test.go

@@ -0,0 +1,302 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package unit
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestDriverConfigInFalcoConfig(t *testing.T) {
+	t.Parallel()
+
+	helmChartPath, err := filepath.Abs(chartPath)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name     string
+		values   map[string]string
+		expected func(t *testing.T, config any)
+	}{
+		{
+			"defaultValues",
+			nil,
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "kmod", kind)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.False(t, dropFailedExit)
+			},
+		},
+		{
+			"kind=kmod",
+			map[string]string{
+				"driver.kind": "kmod",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "kmod", kind)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.False(t, dropFailedExit)
+			},
+		},
+		{
+			"kind=module(alias)",
+			map[string]string{
+				"driver.kind": "module",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "kmod", kind)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.False(t, dropFailedExit)
+			},
+		},
+		{
+			"kmod=onfig",
+			map[string]string{
+				"driver.kmod.bufSizePreset":  "6",
+				"driver.kmod.dropFailedExit": "true",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "kmod", kind)
+				require.Equal(t, float64(6), bufSizePreset)
+				require.True(t, dropFailedExit)
+			},
+		},
+		{
+			"kind=ebpf",
+			map[string]string{
+				"driver.kind":                "ebpf",
+				"driver.ebpf.bufSizePreset":  "6",
+				"driver.ebpf.dropFailedExit": "true",
+				"driver.ebpf.path":           "testing/Path/ebpf",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, path, bufSizePreset, dropFailedExit, err := getEbpfConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "ebpf", kind)
+				require.Equal(t, "testing/Path/ebpf", path)
+				require.Equal(t, float64(6), bufSizePreset)
+				require.True(t, dropFailedExit)
+			},
+		},
+		{
+			"ebpf=config",
+			map[string]string{
+				"driver.kind": "ebpf",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, path, bufSizePreset, dropFailedExit, err := getEbpfConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "ebpf", kind)
+				require.Equal(t, "${HOME}/.falco/falco-bpf.o", path)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.False(t, dropFailedExit)
+			},
+		},
+		{
+			"kind=modern_ebpf",
+			map[string]string{
+				"driver.kind": "modern_ebpf",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, bufSizePreset, cpusForEachBuffer, dropFailedExit, err := getModernEbpfConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "modern_ebpf", kind)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.Equal(t, float64(2), cpusForEachBuffer)
+				require.False(t, dropFailedExit)
+			},
+		},
+		{
+			"kind=modern-bpf(alias)",
+			map[string]string{
+				"driver.kind": "modern-bpf",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, bufSizePreset, cpusForEachBuffer, dropFailedExit, err := getModernEbpfConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "modern_ebpf", kind)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.Equal(t, float64(2), cpusForEachBuffer)
+				require.False(t, dropFailedExit)
+			},
+		},
+		{
+			"modernEbpf=config",
+			map[string]string{
+				"driver.kind":                         "modern-bpf",
+				"driver.modernEbpf.bufSizePreset":     "6",
+				"driver.modernEbpf.dropFailedExit":    "true",
+				"driver.modernEbpf.cpusForEachBuffer": "8",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, bufSizePreset, cpusForEachBuffer, dropFailedExit, err := getModernEbpfConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "modern_ebpf", kind)
+				require.Equal(t, float64(6), bufSizePreset)
+				require.Equal(t, float64(8), cpusForEachBuffer)
+				require.True(t, dropFailedExit)
+			},
+		},
+		{
+			"kind=gvisor",
+			map[string]string{
+				"driver.kind": "gvisor",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, config, root, err := getGvisorConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "gvisor", kind)
+				require.Equal(t, "/gvisor-config/pod-init.json", config)
+				require.Equal(t, "/host/run/containerd/runsc/k8s.io", root)
+			},
+		},
+		{
+			"gvisor=config",
+			map[string]string{
+				"driver.kind":              "gvisor",
+				"driver.gvisor.runsc.root": "/my/root/test",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 2, "should have only two items")
+				kind, config, root, err := getGvisorConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "gvisor", kind)
+				require.Equal(t, "/gvisor-config/pod-init.json", config)
+				require.Equal(t, "/host/my/root/test/k8s.io", root)
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		testCase := testCase
+
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			options := &helm.Options{SetValues: testCase.values}
+			output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"})
+
+			var cm corev1.ConfigMap
+			helm.UnmarshalK8SYaml(t, output, &cm)
+			var config map[string]interface{}
+
+			helm.UnmarshalK8SYaml(t, cm.Data["falco.yaml"], &config)
+			engine := config["engine"]
+			testCase.expected(t, engine)
+		})
+	}
+}
+
+func TestDriverConfigWithUnsupportedDriver(t *testing.T) {
+	t.Parallel()
+
+	helmChartPath, err := filepath.Abs(chartPath)
+	require.NoError(t, err)
+
+	values := map[string]string{
+		"driver.kind": "notExisting",
+	}
+	options := &helm.Options{SetValues: values}
+	_, err = helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"})
+	require.Error(t, err)
+	require.True(t, strings.Contains(err.Error(), "unsupported driver kind: \"notExisting\". Supported drivers [kmod ebpf modern_ebpf gvisor], alias [module modern-bpf]"))
+}
+
+func getKmodConfig(config interface{}) (kind string, bufSizePreset float64, dropFailedExit bool, err error) {
+	configMap, ok := config.(map[string]interface{})
+	if !ok {
+		err = fmt.Errorf("can't assert type of config")
+		return
+	}
+
+	kind = configMap["kind"].(string)
+	kmod := configMap["kmod"].(map[string]interface{})
+	bufSizePreset = kmod["buf_size_preset"].(float64)
+	dropFailedExit = kmod["drop_failed_exit"].(bool)
+
+	return
+}
+
+func getEbpfConfig(config interface{}) (kind, path string, bufSizePreset float64, dropFailedExit bool, err error) {
+	configMap, ok := config.(map[string]interface{})
+	if !ok {
+		err = fmt.Errorf("can't assert type of config")
+		return
+	}
+
+	kind = configMap["kind"].(string)
+	ebpf := configMap["ebpf"].(map[string]interface{})
+	bufSizePreset = ebpf["buf_size_preset"].(float64)
+	dropFailedExit = ebpf["drop_failed_exit"].(bool)
+	path = ebpf["probe"].(string)
+
+	return
+}
+
+func getModernEbpfConfig(config interface{}) (kind string, bufSizePreset, cpusForEachBuffer float64, dropFailedExit bool, err error) {
+	configMap, ok := config.(map[string]interface{})
+	if !ok {
+		err = fmt.Errorf("can't assert type of config")
+		return
+	}
+
+	kind = configMap["kind"].(string)
+	modernEbpf := configMap["modern_ebpf"].(map[string]interface{})
+	bufSizePreset = modernEbpf["buf_size_preset"].(float64)
+	dropFailedExit = modernEbpf["drop_failed_exit"].(bool)
+	cpusForEachBuffer = modernEbpf["cpus_for_each_buffer"].(float64)
+
+	return
+}
+
+func getGvisorConfig(cfg interface{}) (kind, config, root string, err error) {
+	configMap, ok := cfg.(map[string]interface{})
+	if !ok {
+		err = fmt.Errorf("can't assert type of config")
+		return
+	}
+
+	kind = configMap["kind"].(string)
+	gvisor := configMap["gvisor"].(map[string]interface{})
+	config = gvisor["config"].(string)
+	root = gvisor["root"].(string)
+
+	return
+}

charts/falco/tests/unit/driverLoader_test.go

@@ -0,0 +1,131 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package unit
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+)
+
+// TestDriverLoaderEnabled tests the helper that enables the driver loader based on the configuration.
+func TestDriverLoaderEnabled(t *testing.T) {
+	t.Parallel()
+
+	helmChartPath, err := filepath.Abs(chartPath)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name     string
+		values   map[string]string
+		expected bool
+	}{
+		{
+			"defaultValues",
+			nil,
+			true,
+		},
+		{
+			"driver.kind=modern-bpf",
+			map[string]string{
+				"driver.kind": "modern-bpf",
+			},
+			false,
+		},
+		{
+			"driver.kind=modern_ebpf",
+			map[string]string{
+				"driver.kind": "modern_ebpf",
+			},
+			false,
+		},
+		{
+			"driver.kind=gvisor",
+			map[string]string{
+				"driver.kind": "gvisor",
+			},
+			false,
+		},
+		{
+			"driver.disabled",
+			map[string]string{
+				"driver.enabled": "false",
+			},
+			false,
+		},
+		{
+			"driver.loader.disabled",
+			map[string]string{
+				"driver.loader.enabled": "false",
+			},
+			false,
+		},
+		{
+			"driver.kind=kmod",
+			map[string]string{
+				"driver.kind": "kmod",
+			},
+			true,
+		},
+		{
+			"driver.kind=module",
+			map[string]string{
+				"driver.kind": "module",
+			},
+			true,
+		},
+		{
+			"driver.kind=ebpf",
+			map[string]string{
+				"driver.kind": "ebpf",
+			},
+			true,
+		},
+		{
+			"driver.kind=kmod&driver.loader.disabled",
+			map[string]string{
+				"driver.kind":           "kmod",
+				"driver.loader.enabled": "false",
+			},
+			false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		testCase := testCase
+
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			options := &helm.Options{SetValues: testCase.values}
+			output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/daemonset.yaml"})
+
+			var ds appsv1.DaemonSet
+			helm.UnmarshalK8SYaml(t, output, &ds)
+			found := false
+			for i := range ds.Spec.Template.Spec.InitContainers {
+				if ds.Spec.Template.Spec.InitContainers[i].Name == "falco-driver-loader" {
+					found = true
+				}
+			}
+
+			require.Equal(t, testCase.expected, found)
+		})
+	}
+}

charts/falco/values-gvisor-gke.yaml

@@ -22,17 +22,15 @@ tolerations:
     operator: Equal
     value: gvisor
 
-# Disable the driver since it is not needed.
+# Enable gVisor and set the appropriate paths.
 driver:
-  enabled: false
-
-# Enable gVisor and set the appropriate paths. 
-gvisor:
   enabled: true
-  runsc:
-    path: /home/containerd/usr/local/sbin
-    root: /run/containerd/runsc
-    config: /run/containerd/runsc/config.toml
+  kind: gvisor
+  gvisor:
+    runsc:
+      path: /home/containerd/usr/local/sbin
+      root: /run/containerd/runsc
+      config: /run/containerd/runsc/config.toml
 
 # Enable the containerd collector to enrich the syscall events with metadata.
 collectors:
@@ -53,15 +51,13 @@ falcoctl:
   config:
     artifact:
       install:
-        # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
-        resolveDeps: false
         # -- List of artifacts to be installed by the falcoctl init container.
         # We do not recommend installing (or following) plugins for security reasons since they are executable objects.
-        refs: [falco-rules:1]
+        refs: [falco-rules:3]
       follow:
         # -- List of artifacts to be followed by the falcoctl sidecar container.
         # We do not recommend installing (or following) plugins for security reasons since they are executable objects.
-        refs: [falco-rules:1]
+        refs: [falco-rules:3]
 
 # Set this to true to force Falco so output the logs as soon as they are emmitted.
 tty: false

charts/falco/values-k8saudit.yaml

@@ -18,23 +18,19 @@ controller:
 falcoctl:
   artifact:
     install:
-      # -- Enable the init container. We do not recommend installing (or following) plugins for security reasons since they are executable objects.
+      # -- Enable the init container.
       enabled: true
     follow:
-      # -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules.
+      # -- Enable the sidecar container.
       enabled: true
   config:
     artifact:
       install:
-        # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
-        resolveDeps: false
         # -- List of artifacts to be installed by the falcoctl init container.
-        # Only rulesfiles, we do no recommend plugins for security reasonts since they are executable objects.
-        refs: [k8saudit-rules:0.6]
+        refs: [k8saudit-rules:0.7]
       follow:
         # -- List of artifacts to be followed by the falcoctl sidecar container.
-        # Only rulesfiles, we do no recommend plugins for security reasonts since they are executable objects.
-        refs: [k8saudit-rules:0.6]
+        refs: [k8saudit-rules:0.7]
 
 services:
   - name: k8saudit-webhook

charts/falco/values-syscall-k8saudit.yaml

@@ -21,24 +21,19 @@ controller:
 falcoctl:
   artifact:
     install:
-      # -- Enable the init container. We do not recommend installing plugins for security reasons since they are executable objects.
-      # We install only "rulesfiles".
+      # -- Enable the init container.
       enabled: true
     follow:
-      # -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules.
+      # -- Enable the sidecar container.
       enabled: true
   config:
     artifact:
       install:
-        # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
-        resolveDeps: false
         # -- List of artifacts to be installed by the falcoctl init container.
-        # We do not recommend installing (or following) plugins for security reasons since they are executable objects.
-        refs: [falco-rules:2, k8saudit-rules:0.6]
+        refs: [falco-rules:3, k8saudit-rules:0.7]
       follow:
         # -- List of artifacts to be followed by the falcoctl sidecar container.
-        # We do not recommend installing (or following) plugins for security reasons since they are executable objects.
-        refs: [falco-rules:2, k8saudit-rules:0.6]
+        refs: [falco-rules:3, k8saudit-rules:0.7]
 
 services:
   - name: k8saudit-webhook

tests/falco-test-ci.yaml

@@ -1,19 +1,56 @@
 # CI values for Falco.
 # To deploy Falco on CI we need to set an argument to bypass the installation
 # of the kernel module, so we bypass that.
-extra:
-  args:
-  - --userspace
-
-falco:
-  grpc:
-    enabled: true
-  grpc_output:
-    enabled: true
-
+# -- Disable the drivers since we want to deploy only the k8saudit plugin.
 driver:
   enabled: false
 
-# enforce /proc mounting since Falco still tries to scan it
-mounts:
-  enforceProcMount: true
+# -- Disable the collectors, no syscall events to enrich with metadata.
+collectors:
+  enabled: false
+
+falcoctl:
+  artifact:
+    install:
+      # -- Enable the init container.
+      enabled: true
+    follow:
+      # -- Enable the sidecar container.
+      enabled: true
+  config:
+    artifact:
+      install:
+        # -- Resolve the dependencies for artifacts.
+        resolveDeps: true
+        # -- List of artifacts to be installed by the falcoctl init container.
+        refs: [k8saudit-rules:0.6]
+      follow:
+        # -- List of artifacts to be followed by the falcoctl sidecar container.
+        refs: [k8saudit-rules:0.6]
+
+services:
+  - name: k8saudit-webhook
+    type: NodePort
+    ports:
+      - port: 9765 # See plugin open_params
+        nodePort: 30007
+        protocol: TCP
+
+falco:
+  rules_file:
+    - /etc/falco/k8s_audit_rules.yaml
+    - /etc/falco/rules.d
+  plugins:
+    - name: k8saudit
+      library_path: libk8saudit.so
+      init_config:
+        ""
+        # maxEventBytes: 1048576
+      # sslCertificate: /etc/falco/falco.pem
+      open_params: "http://:9765/k8s-audit"
+    - name: json
+      library_path: libjson.so
+      init_config: ""
+  # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container.
+  load_plugins: [k8saudit, json]
+