Skip to content

Instantly share code, notes, and snippets.

@rasheedamir
Last active March 12, 2023 17:41
Show Gist options
  • Save rasheedamir/8da702d13283bb100dd6f9ac695d7c2c to your computer and use it in GitHub Desktop.
Save rasheedamir/8da702d13283bb100dd6f9ac695d7c2c to your computer and use it in GitHub Desktop.

I started like this!

apiVersion: v2
name: falco
description: A Helm chart of falco for Kubernetes
dependencies:
  - name: falco
    version: 3.1.0
    repository: https://falcosecurity.github.io/charts
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.0.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "3.1.0"
serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: false
      url: http://falcosidekick.stakater-falco:2801/ #TODO: fix this!

  scc:
    create: false

  falcosidekick:

    enabled: true

    webui:
      enabled: true

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!
@rasheedamir
Copy link
Author

rasheedamir commented Feb 26, 2023

This is rendered output

kind: Pod
apiVersion: v1
metadata:
  generateName: sysdig-falco-
  annotations:
    checksum/certs: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    checksum/config: b2e45c270c56b3cae4d651bf66fcbfa9622a92ec68d54cd76cef4a7990a47d55
    checksum/rules: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    k8s.ovn.org/pod-networks: >-
      {"default":{"ip_addresses":["10.128.1.78/23"],"mac_address":"0a:58:0a:80:01:4e","gateway_ips":["10.128.0.1"],"ip_address":"10.128.1.78/23","gateway_ip":"10.128.0.1"}}
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "ovn-kubernetes",
          "interface": "eth0",
          "ips": [
              "10.128.1.78"
          ],
          "mac": "0a:58:0a:80:01:4e",
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "ovn-kubernetes",
          "interface": "eth0",
          "ips": [
              "10.128.1.78"
          ],
          "mac": "0a:58:0a:80:01:4e",
          "default": true,
          "dns": {}
      }]
    openshift.io/scc: sysdig-falco
  resourceVersion: '39872203'
  name: sysdig-falco-dt5zc
  uid: 1a5df3a8-9057-4f0f-9dda-8c1a3afcd3cd
  creationTimestamp: '2023-02-25T21:07:03Z'
  namespace: stakater-falco
  ownerReferences:
    - apiVersion: apps/v1
      kind: DaemonSet
      name: sysdig-falco
      uid: f1f6e9eb-54fc-4e49-b2ec-899e13d94d9c
      controller: true
      blockOwnerDeletion: true
  labels:
    app.kubernetes.io/instance: sysdig-falco
    app.kubernetes.io/managed-by: tilt
    app.kubernetes.io/name: falco
    controller-revision-hash: 66bfb47945
    pod-template-generation: '1'
    tilt.dev/pod-template-hash: 57aee80f36d8cebe24f7
spec:
  restartPolicy: Always
  initContainers:
    - name: falco-driver-loader
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      resources: {}
      volumeMounts:
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          readOnly: true
          mountPath: /host/proc
        - name: boot-fs
          readOnly: true
          mountPath: /host/boot
        - name: lib-modules
          mountPath: /host/lib/modules
        - name: usr-fs
          readOnly: true
          mountPath: /host/usr
        - name: etc-fs
          readOnly: true
          mountPath: /host/etc
        - name: kube-api-access-k5zlv
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
      securityContext:
        privileged: true
    - name: falcoctl-artifact-install
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - install
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-k5zlv
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
  serviceAccountName: sysdig-falco
  imagePullSecrets:
    - name: sysdig-falco-dockercfg-s62g2
  priority: 0
  schedulerName: default-scheduler
  enableServiceLinks: true
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchFields:
              - key: metadata.name
                operator: In
                values:
                  - 00-0c-29-cc-92-de
  terminationGracePeriodSeconds: 30
  preemptionPolicy: PreemptLowerPriority
  nodeName: 00-0c-29-cc-92-de
  securityContext: {}
  containers:
    - resources:
        limits:
          cpu: '1'
          memory: 1Gi
        requests:
          cpu: 100m
          memory: 512Mi
      readinessProbe:
        httpGet:
          path: /healthz
          port: 8765
          scheme: HTTP
        initialDelaySeconds: 30
        timeoutSeconds: 5
        periodSeconds: 15
        successThreshold: 1
        failureThreshold: 3
      terminationMessagePath: /dev/termination-log
      name: falco
      livenessProbe:
        httpGet:
          path: /healthz
          port: 8765
          scheme: HTTP
        initialDelaySeconds: 60
        timeoutSeconds: 5
        periodSeconds: 15
        successThreshold: 1
        failureThreshold: 3
      env:
        - name: FALCO_K8S_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
      securityContext:
        privileged: true
      imagePullPolicy: IfNotPresent
      volumeMounts:
        - name: rulesfiles-install-dir
          mountPath: /etc/falco
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          mountPath: /host/proc
        - name: dev-fs
          readOnly: true
          mountPath: /host/dev
        - name: sys-fs
          mountPath: /sys/module/falco
        - name: docker-socket
          mountPath: /host/var/run/docker.sock
        - name: containerd-socket
          mountPath: /host/run/containerd/containerd.sock
        - name: crio-socket
          mountPath: /host/run/crio/crio.sock
        - name: falco-yaml
          mountPath: /etc/falco/falco.yaml
          subPath: falco.yaml
        - name: kube-api-access-k5zlv
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePolicy: File
      image: 'docker.io/falcosecurity/falco-no-driver:0.34.1'
      args:
        - /usr/bin/falco
        - '--cri'
        - /run/containerd/containerd.sock
        - '--cri'
        - /run/crio/crio.sock
        - '-K'
        - /var/run/secrets/kubernetes.io/serviceaccount/token
        - '-k'
        - 'https://$(KUBERNETES_SERVICE_HOST)'
        - '--k8s-node'
        - $(FALCO_K8S_NODE_NAME)
        - '-pk'
    - name: falcoctl-artifact-follow
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - follow
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-k5zlv
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
  serviceAccount: sysdig-falco
  volumes:
    - name: plugins-install-dir
      emptyDir: {}
    - name: rulesfiles-install-dir
      emptyDir: {}
    - name: root-falco-fs
      emptyDir: {}
    - name: boot-fs
      hostPath:
        path: /boot
        type: ''
    - name: lib-modules
      hostPath:
        path: /lib/modules
        type: ''
    - name: usr-fs
      hostPath:
        path: /usr
        type: ''
    - name: etc-fs
      hostPath:
        path: /etc
        type: ''
    - name: dev-fs
      hostPath:
        path: /dev
        type: ''
    - name: sys-fs
      hostPath:
        path: /sys/module/falco
        type: ''
    - name: docker-socket
      hostPath:
        path: /var/run/docker.sock
        type: ''
    - name: containerd-socket
      hostPath:
        path: /run/containerd/containerd.sock
        type: ''
    - name: crio-socket
      hostPath:
        path: /run/crio/crio.sock
        type: ''
    - name: proc-fs
      hostPath:
        path: /proc
        type: ''
    - name: falcoctl-config-volume
      configMap:
        name: sysdig-falco-falcoctl
        items:
          - key: falcoctl.yaml
            path: falcoctl.yaml
        defaultMode: 420
    - name: falco-yaml
      configMap:
        name: sysdig-falco
        items:
          - key: falco.yaml
            path: falco.yaml
        defaultMode: 420
    - name: kube-api-access-k5zlv
      projected:
        sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              name: kube-root-ca.crt
              items:
                - key: ca.crt
                  path: ca.crt
          - downwardAPI:
              items:
                - path: namespace
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
          - configMap:
              name: openshift-service-ca.crt
              items:
                - key: service-ca.crt
                  path: service-ca.crt
        defaultMode: 420
  dnsPolicy: ClusterFirst
  tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    - key: node.kubernetes.io/not-ready
      operator: Exists
      effect: NoExecute
    - key: node.kubernetes.io/unreachable
      operator: Exists
      effect: NoExecute
    - key: node.kubernetes.io/disk-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/memory-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/pid-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/unschedulable
      operator: Exists
      effect: NoSchedule
status:
  containerStatuses:
    - name: falco
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falco-no-driver:0.34.1'
      imageID: ''
      started: false
    - name: falcoctl-artifact-follow
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      imageID: ''
      started: false
  qosClass: Burstable
  podIPs:
    - ip: 10.128.1.78
  podIP: 10.128.1.78
  hostIP: 10.10.0.92
  startTime: '2023-02-25T21:07:03Z'
  initContainerStatuses:
    - name: falco-driver-loader
      state:
        waiting:
          reason: CrashLoopBackOff
          message: >-
            back-off 5m0s restarting failed container=falco-driver-loader
            pod=sysdig-falco-dt5zc_stakater-falco(1a5df3a8-9057-4f0f-9dda-8c1a3afcd3cd)
      lastState:
        terminated:
          exitCode: 1
          reason: Error
          startedAt: '2023-02-26T10:12:45Z'
          finishedAt: '2023-02-26T10:13:19Z'
          containerID: >-
            cri-o://d5e0a5bdfaa811557c8a7cbd45e22beb6de4b236d04053143f6ce1dabc5eb52d
      ready: false
      restartCount: 146
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      imageID: >-
        docker.io/falcosecurity/falco-driver-loader@sha256:1bcd4984b3748af1a48c585fb3ee94953a4f2a7ece0750895ad6c28355532d45
      containerID: 'cri-o://d5e0a5bdfaa811557c8a7cbd45e22beb6de4b236d04053143f6ce1dabc5eb52d'
    - name: falcoctl-artifact-install
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      imageID: ''
  conditions:
    - type: Initialized
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-02-25T21:07:03Z'
      reason: ContainersNotInitialized
      message: >-
        containers with incomplete status: [falco-driver-loader
        falcoctl-artifact-install]
    - type: Ready
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-02-25T21:07:03Z'
      reason: ContainersNotReady
      message: 'containers with unready status: [falco falcoctl-artifact-follow]'
    - type: ContainersReady
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-02-25T21:07:03Z'
      reason: ContainersNotReady
      message: 'containers with unready status: [falco falcoctl-artifact-follow]'
    - type: PodScheduled
      status: 'True'
      lastProbeTime: null
      lastTransitionTime: '2023-02-25T21:07:03Z'
  phase: Pending

@rasheedamir
Copy link
Author

2 init containers

  • image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
  • image: 'docker.io/falcosecurity/falcoctl:0.4.0'

@rasheedamir
Copy link
Author

So, far it's not working

@rasheedamir
Copy link
Author

Going to try ebpf; and see how we can use it:

# Driver settings (scenario requirement)
driver:
  # -- Set it to false if you want to deploy Falco without the drivers.
  # Always set it to false when using Falco with plugins.
  enabled: true
  # -- Tell Falco which driver to use. Available options: module (kernel driver), ebpf (eBPF probe), modern-bpf (modern eBPF probe).
  kind: module
  # -- Configuration section for ebpf driver.
  ebpf:
    # -- Path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init
    # container deployed with the chart.
    path:
    # -- Needed to enable eBPF JIT at runtime for performance reasons.
    # Can be skipped if eBPF JIT is enabled from outside the container
    hostNetwork: false
    # -- Constrain Falco with capabilities instead of running a privileged container.
    # This option is only supported with the eBPF driver and a kernel >= 5.8.
    # Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`).
    leastPrivileged: false
  # -- Configuration for the Falco init container.
  loader:
    # -- Enable/disable the init container.
    enabled: true
    initContainer:
      image:
        # -- The image pull policy.
        pullPolicy: IfNotPresent
        # -- The image registry to pull from.
        registry: docker.io
        # -- The image repository to pull from.
        repository: falcosecurity/falco-driver-loader
        #  -- Overrides the image tag whose default is the chart appVersion.
        tag: ""
      # -- Extra environment variables that will be pass onto Falco driver loader init container.
      env: []
      # -- Arguments to pass to the Falco driver loader init container.
      args: []
      # -- Resources requests and limits for the Falco driver loader init container.
      resources: {}
      # -- Security context for the Falco driver loader init container. Overrides the default security context. If driver.kind == "module" you must at least set `privileged: true`.
      securityContext: {}

@rasheedamir
Copy link
Author

falco:

  driver:
    kind: ebpf
    loader:
      enabled: false
Sun Feb 26 15:46:34 2023: Falco version: 0.34.1 (x86_64)
Sun Feb 26 15:46:34 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Sun Feb 26 15:46:34 2023: Loading rules from file /etc/falco/falco_rules.yaml
Sun Feb 26 15:46:34 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Sun Feb 26 15:46:34 2023: Starting health webserver with threadiness 16, listening on port 8765
Sun Feb 26 15:46:34 2023: Enabled event sources: syscall
Sun Feb 26 15:46:34 2023: Opening capture with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
Sun Feb 26 15:46:34 2023: An error occurred in an event source, forcing termination...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: can't open BPF probe '/root/.falco/falco-bpf.o'

@rasheedamir
Copy link
Author

rasheedamir commented Feb 26, 2023

falco:

  driver:
    kind: ebpf

Looks much better now

* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.34.1, driver version=4.0.0+driver, arch=x86_64, kernel release=4.18.0-372.36.1.el8_6.x86_64, kernel version=1
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
mount: /sys/kernel/debug: permission denied.
* Filename 'falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o' is composed of:
 - driver name: falco
 - target identifier: rhcos
 - kernel release: 4.18.0-372.36.1.el8_6.x86_64
 - kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o
curl: (22) The requested URL returned error: 404 
* Trying to compile the eBPF probe (falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o)
Unable to find a prebuilt falco eBPF probe
* eBPF probe located in /root/.falco/4.0.0+driver/x86_64/falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o
* Success: eBPF probe symlinked to /root/.falco/falco-bpf.o

Now the init container is healthy!

@rasheedamir
Copy link
Author

falcoctl-artifact-install logs

INFO: Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
WARN: No configured index. Consider to configure one using the 'index add' command.
INFO: Installing the following artifacts: [ghcr.io/falcosecurity/rules/falco-rules:0]
INFO: Preparing to pull "ghcr.io/falcosecurity/rules/falco-rules:0"
INFO: Retrieving credentials from local store
INFO: proceeding with empty credentials for registry "ghcr.io"
INFO: Pulling ad24f8acf278
INFO: Pulling 0d3705a4650f
INFO: Pulling 0957c1ef3fe4

                                                                                
INFO: Extracting and installing "rulesfile" "falco_rules.yaml.tar.gz"

                                                                                
INFO: Artifact successfully installed in "/rulesfiles"

@rasheedamir
Copy link
Author

falcoctl-artifact-follow logs

INFO: Retrieving versions from Falco (timeout 2m0s) ...
INFO: Successfully retrieved versions from Falco ...
INFO: Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
WARN: No configured index. Consider to configure one using the 'index add' command.
INFO: Creating follower for "falco-rules:0", with check every 6h0m0s
INFO: Retrieving credentials from local store
INFO: proceeding with empty credentials for registry "ghcr.io"
�[39m�[39m INFO �[0m�[0m �[39m�[39mStarting follower for "ghcr.io/falcosecurity/rules/falco-rules:0"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mfetching descriptor from remote repository...�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mdescriptor correctly fetched�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mfound new version under tag "0"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mpulling artifact from remote repository...�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mcheck if pulling an allowed type of artifact�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mpulling artifact "ghcr.io/falcosecurity/rules/falco-rules:0"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mextracting artifact�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mcleaning up leftovers files�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39martifact correctly pulled�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39minstalling file "falco_rules.yaml"...�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mchecking if file "falco_rules.yaml" already exists in "/rulesfiles"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mfile "falco_rules.yaml" already exists in "/rulesfiles", checking if it is equal to the existing one�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mthe two file are equal, nothing to be done�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39martifact with tag "0" correctly installed�[0m�[0m

@rasheedamir
Copy link
Author

Final settings

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  driver:
    kind: ebpf

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: false
      url: http://falcosidekick.stakater-falco:2801/ #TODO: fix this!

  scc:
    create: false

  falcosidekick:

    enabled: true

    webui:
      enabled: true

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!

@rasheedamir
Copy link
Author

Had to create a SCC like this; to get sidekick and sidekick-ui pods running

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: |
      This provides the minimum requirements Falco to run in Openshift.
  name: {{ include "falco.serviceAccountName" . }}
  namespace: {{ include "falco.namespace" . }}
  labels:
    {{- include "falco.labels" . | nindent 4 }}
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: true
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
allowedUnsafeSysctls: []
defaultAddCapabilities: []
fsGroup:
  type: RunAsAny
groups: []
priority: 0
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:{{ include "falco.namespace" . }}:{{ include "falco.serviceAccountName" . }}
- system:serviceaccount:{{ include "falco.namespace" . }}:sysdig-falco-falcosidekick
- system:serviceaccount:{{ include "falco.namespace" . }}:sysdig-falco-falcosidekick-ui
volumes:
- hostPath
- emptyDir
- secret
- configMap

@rasheedamir
Copy link
Author

There is a way to override podSecurityContext so, I ended up with this values file

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  driver:
    kind: ebpf

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: false
      url: http://falcosidekick.stakater-falco:2801/ #TODO: fix this!

  scc:
    create: false

  falcosidekick:

    enabled: true

    podSecurityContext: ""

    webui:
      enabled: true

      podSecurityContext: ""

      ingress:
        enabled: false

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!

@rasheedamir
Copy link
Author

And final scc looks like this

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: |
      This provides the minimum requirements Falco to run in Openshift.
  name: {{ include "falco.serviceAccountName" . }}
  namespace: {{ include "falco.namespace" . }}
  labels:
    {{- include "falco.labels" . | nindent 4 }}
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: true
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
allowedUnsafeSysctls: []
defaultAddCapabilities: []
fsGroup:
  type: RunAsAny
groups: []
priority: 0
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:{{ include "falco.namespace" . }}:{{ include "falco.serviceAccountName" . }}
volumes:
- hostPath
- emptyDir
- secret
- configMap

@rasheedamir
Copy link
Author

Events in falcosidekick ui

screencapture-falcosidekick-ui-stakater-falco-apps-vmw-sno2-office-stakater-events-2023-02-26-20_38_00

@rasheedamir
Copy link
Author

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  driver:
    kind: ebpf

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: true
      # This is hardcoded
      url: http://sysdig-falco-falcosidekick.stakater-falco.svc.cluster.local:2801/

  scc:
    create: false

  falcosidekick:

    enabled: true

    podSecurityContext: ""

    webui:
      enabled: true

      podSecurityContext: ""

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!

@rasheedamir
Copy link
Author

rasheedamir commented Mar 12, 2023

Environment OpenShift 4.12.0 and falco-driver-loader is failing with this error and falco fails to start :(

* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.34.1, driver version=4.0.0+driver, arch=x86_64, kernel release=4.18.0-372.40.1.el8_6.x86_64, kernel version=1
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
mount: /sys/kernel/debug: permission denied.
* Filename 'falco_rhcos_4.18.0-372.40.1.el8_6.x86_64_1.o' is composed of:
 - driver name: falco
 - target identifier: rhcos
 - kernel release: 4.18.0-372.40.1.el8_6.x86_64
 - kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_rhcos_4.18.0-372.40.1.el8_6.x86_64_1.o
curl: (22) The requested URL returned error: 404 
Unable to find a prebuilt falco eBPF probe
* Trying to compile the eBPF probe (falco_rhcos_4.18.0-372.40.1.el8_6.x86_64_1.o)
expr: syntax error: unexpected argument '1'
make[1]: *** /lib/modules/4.18.0-372.40.1.el8_6.x86_64/build: No such file or directory.  Stop.
make: *** [Makefile:38: all] Error 2
mv: cannot stat '/usr/src/falco-4.0.0+driver/bpf/probe.o': No such file or directory
Unable to load the falco eBPF probe

These are the init containers

  initContainers:
    - name: falco-driver-loader
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      env:
        - name: FALCO_BPF_PROBE
      resources: {}
      volumeMounts:
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          readOnly: true
          mountPath: /host/proc
        - name: boot-fs
          readOnly: true
          mountPath: /host/boot
        - name: lib-modules
          mountPath: /host/lib/modules
        - name: usr-fs
          readOnly: true
          mountPath: /host/usr
        - name: etc-fs
          readOnly: true
          mountPath: /host/etc
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
    - name: falcoctl-artifact-install
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - install
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent

@rasheedamir
Copy link
Author

The above failing pod has this YAML

kind: Pod
apiVersion: v1
metadata:
  generateName: falco-
  annotations:
    checksum/certs: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    checksum/config: 09cbdf4875bbd87fe93e70a034a53662acc7a4dbe7a9bf3eb8c352be2aee015c
    checksum/rules: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    k8s.ovn.org/pod-networks: >-
      {"default":{"ip_addresses":["10.128.1.66/23"],"mac_address":"0a:58:0a:80:01:42","gateway_ips":["10.128.0.1"],"ip_address":"10.128.1.66/23","gateway_ip":"10.128.0.1"}}
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "ovn-kubernetes",
          "interface": "eth0",
          "ips": [
              "10.128.1.66"
          ],
          "mac": "0a:58:0a:80:01:42",
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "ovn-kubernetes",
          "interface": "eth0",
          "ips": [
              "10.128.1.66"
          ],
          "mac": "0a:58:0a:80:01:42",
          "default": true,
          "dns": {}
      }]
    openshift.io/scc: falco
  resourceVersion: '10060058'
  name: falco-gj6sm
  uid: b7a071e5-c92a-47cf-9778-b240ef300f23
  creationTimestamp: '2023-03-12T17:37:00Z'
  managedFields:
    - manager: 00-0c-29-0e-55-ce
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:37:00Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:k8s.ovn.org/pod-networks': {}
    - manager: kube-controller-manager
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:37:00Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            .: {}
            'f:checksum/certs': {}
            'f:checksum/config': {}
            'f:checksum/rules': {}
          'f:generateName': {}
          'f:labels':
            .: {}
            'f:app.kubernetes.io/instance': {}
            'f:app.kubernetes.io/name': {}
            'f:controller-revision-hash': {}
            'f:pod-template-generation': {}
          'f:ownerReferences':
            .: {}
            'k:{"uid":"d8b701af-ef38-4a86-a4be-4f2994e2bd2f"}': {}
        'f:spec':
          'f:volumes':
            'k:{"name":"plugins-install-dir"}':
              .: {}
              'f:emptyDir': {}
              'f:name': {}
            'k:{"name":"usr-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"etc-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            .: {}
            'k:{"name":"containerd-socket"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"lib-modules"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"rulesfiles-install-dir"}':
              .: {}
              'f:emptyDir': {}
              'f:name': {}
            'k:{"name":"debugfs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"docker-socket"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"proc-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"falcoctl-config-volume"}':
              .: {}
              'f:configMap':
                .: {}
                'f:defaultMode': {}
                'f:items': {}
                'f:name': {}
              'f:name': {}
            'k:{"name":"root-falco-fs"}':
              .: {}
              'f:emptyDir': {}
              'f:name': {}
            'k:{"name":"boot-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"falco-yaml"}':
              .: {}
              'f:configMap':
                .: {}
                'f:defaultMode': {}
                'f:items': {}
                'f:name': {}
              'f:name': {}
            'k:{"name":"crio-socket"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
          'f:containers':
            'k:{"name":"falco"}':
              'f:image': {}
              'f:volumeMounts':
                'k:{"mountPath":"/host/var/run/docker.sock"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/root/.falco"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/sys/kernel/debug"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/proc"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/etc/falco/falco.yaml"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:subPath': {}
                .: {}
                'k:{"mountPath":"/etc/falco"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/run/containerd/containerd.sock"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/run/crio/crio.sock"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources':
                .: {}
                'f:limits':
                  .: {}
                  'f:cpu': {}
                  'f:memory': {}
                'f:requests':
                  .: {}
                  'f:cpu': {}
                  'f:memory': {}
              'f:args': {}
              'f:livenessProbe':
                .: {}
                'f:failureThreshold': {}
                'f:httpGet':
                  .: {}
                  'f:path': {}
                  'f:port': {}
                  'f:scheme': {}
                'f:initialDelaySeconds': {}
                'f:periodSeconds': {}
                'f:successThreshold': {}
                'f:timeoutSeconds': {}
              'f:env':
                .: {}
                'k:{"name":"FALCO_BPF_PROBE"}':
                  .: {}
                  'f:name': {}
                'k:{"name":"FALCO_K8S_NODE_NAME"}':
                  .: {}
                  'f:name': {}
                  'f:valueFrom':
                    .: {}
                    'f:fieldRef': {}
              'f:readinessProbe':
                .: {}
                'f:failureThreshold': {}
                'f:httpGet':
                  .: {}
                  'f:path': {}
                  'f:port': {}
                  'f:scheme': {}
                'f:initialDelaySeconds': {}
                'f:periodSeconds': {}
                'f:successThreshold': {}
                'f:timeoutSeconds': {}
              'f:securityContext':
                .: {}
                'f:privileged': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
            'k:{"name":"falcoctl-artifact-follow"}':
              'f:image': {}
              'f:volumeMounts':
                .: {}
                'k:{"mountPath":"/etc/falcoctl"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/plugins"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/rulesfiles"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources': {}
              'f:args': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
          'f:dnsPolicy': {}
          'f:tolerations': {}
          'f:serviceAccount': {}
          'f:restartPolicy': {}
          'f:schedulerName': {}
          'f:terminationGracePeriodSeconds': {}
          'f:initContainers':
            .: {}
            'k:{"name":"falco-driver-loader"}':
              'f:image': {}
              'f:volumeMounts':
                .: {}
                'k:{"mountPath":"/host/boot"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/host/etc"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/host/lib/modules"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/proc"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/host/usr"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/root/.falco"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources': {}
              'f:env':
                .: {}
                'k:{"name":"FALCO_BPF_PROBE"}':
                  .: {}
                  'f:name': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
            'k:{"name":"falcoctl-artifact-install"}':
              'f:image': {}
              'f:volumeMounts':
                .: {}
                'k:{"mountPath":"/etc/falcoctl"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/plugins"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/rulesfiles"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources': {}
              'f:args': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
          'f:serviceAccountName': {}
          'f:enableServiceLinks': {}
          'f:securityContext': {}
          'f:affinity':
            .: {}
            'f:nodeAffinity':
              .: {}
              'f:requiredDuringSchedulingIgnoredDuringExecution': {}
    - manager: multus
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:37:02Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:k8s.v1.cni.cncf.io/network-status': {}
            'f:k8s.v1.cni.cncf.io/networks-status': {}
      subresource: status
    - manager: kubelet
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:40:29Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:status':
          'f:conditions':
            'k:{"type":"ContainersReady"}':
              .: {}
              'f:lastProbeTime': {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
            'k:{"type":"Initialized"}':
              .: {}
              'f:lastProbeTime': {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
            'k:{"type":"Ready"}':
              .: {}
              'f:lastProbeTime': {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
          'f:containerStatuses': {}
          'f:hostIP': {}
          'f:initContainerStatuses': {}
          'f:podIP': {}
          'f:podIPs':
            .: {}
            'k:{"ip":"10.128.1.66"}':
              .: {}
              'f:ip': {}
          'f:startTime': {}
      subresource: status
  namespace: stakater-falco
  ownerReferences:
    - apiVersion: apps/v1
      kind: DaemonSet
      name: falco
      uid: d8b701af-ef38-4a86-a4be-4f2994e2bd2f
      controller: true
      blockOwnerDeletion: true
  labels:
    app.kubernetes.io/instance: falco
    app.kubernetes.io/name: falco
    controller-revision-hash: 86b4465658
    pod-template-generation: '1'
spec:
  restartPolicy: Always
  initContainers:
    - name: falco-driver-loader
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      env:
        - name: FALCO_BPF_PROBE
      resources: {}
      volumeMounts:
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          readOnly: true
          mountPath: /host/proc
        - name: boot-fs
          readOnly: true
          mountPath: /host/boot
        - name: lib-modules
          mountPath: /host/lib/modules
        - name: usr-fs
          readOnly: true
          mountPath: /host/usr
        - name: etc-fs
          readOnly: true
          mountPath: /host/etc
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
    - name: falcoctl-artifact-install
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - install
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
  serviceAccountName: falco
  priority: 0
  schedulerName: default-scheduler
  enableServiceLinks: true
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchFields:
              - key: metadata.name
                operator: In
                values:
                  - 00-0c-29-0e-55-ce
  terminationGracePeriodSeconds: 30
  preemptionPolicy: PreemptLowerPriority
  nodeName: 00-0c-29-0e-55-ce
  securityContext: {}
  containers:
    - resources:
        limits:
          cpu: '1'
          memory: 1Gi
        requests:
          cpu: 100m
          memory: 512Mi
      readinessProbe:
        httpGet:
          path: /healthz
          port: 8765
          scheme: HTTP
        initialDelaySeconds: 30
        timeoutSeconds: 5
        periodSeconds: 15
        successThreshold: 1
        failureThreshold: 3
      terminationMessagePath: /dev/termination-log
      name: falco
      livenessProbe:
        httpGet:
          path: /healthz
          port: 8765
          scheme: HTTP
        initialDelaySeconds: 60
        timeoutSeconds: 5
        periodSeconds: 15
        successThreshold: 1
        failureThreshold: 3
      env:
        - name: FALCO_K8S_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: FALCO_BPF_PROBE
      securityContext:
        privileged: true
      imagePullPolicy: IfNotPresent
      volumeMounts:
        - name: rulesfiles-install-dir
          mountPath: /etc/falco
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          mountPath: /host/proc
        - name: debugfs
          mountPath: /sys/kernel/debug
        - name: docker-socket
          mountPath: /host/var/run/docker.sock
        - name: containerd-socket
          mountPath: /host/run/containerd/containerd.sock
        - name: crio-socket
          mountPath: /host/run/crio/crio.sock
        - name: falco-yaml
          mountPath: /etc/falco/falco.yaml
          subPath: falco.yaml
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePolicy: File
      image: 'docker.io/falcosecurity/falco-no-driver:0.34.1'
      args:
        - /usr/bin/falco
        - '--cri'
        - /run/containerd/containerd.sock
        - '--cri'
        - /run/crio/crio.sock
        - '-K'
        - /var/run/secrets/kubernetes.io/serviceaccount/token
        - '-k'
        - 'https://$(KUBERNETES_SERVICE_HOST)'
        - '--k8s-node'
        - $(FALCO_K8S_NODE_NAME)
        - '-pk'
    - name: falcoctl-artifact-follow
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - follow
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
  serviceAccount: falco
  volumes:
    - name: plugins-install-dir
      emptyDir: {}
    - name: rulesfiles-install-dir
      emptyDir: {}
    - name: root-falco-fs
      emptyDir: {}
    - name: boot-fs
      hostPath:
        path: /boot
        type: ''
    - name: lib-modules
      hostPath:
        path: /lib/modules
        type: ''
    - name: usr-fs
      hostPath:
        path: /usr
        type: ''
    - name: etc-fs
      hostPath:
        path: /etc
        type: ''
    - name: debugfs
      hostPath:
        path: /sys/kernel/debug
        type: ''
    - name: docker-socket
      hostPath:
        path: /var/run/docker.sock
        type: ''
    - name: containerd-socket
      hostPath:
        path: /run/containerd/containerd.sock
        type: ''
    - name: crio-socket
      hostPath:
        path: /run/crio/crio.sock
        type: ''
    - name: proc-fs
      hostPath:
        path: /proc
        type: ''
    - name: falcoctl-config-volume
      configMap:
        name: falco-falcoctl
        items:
          - key: falcoctl.yaml
            path: falcoctl.yaml
        defaultMode: 420
    - name: falco-yaml
      configMap:
        name: falco
        items:
          - key: falco.yaml
            path: falco.yaml
        defaultMode: 420
    - name: kube-api-access-f7p5x
      projected:
        sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              name: kube-root-ca.crt
              items:
                - key: ca.crt
                  path: ca.crt
          - downwardAPI:
              items:
                - path: namespace
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
          - configMap:
              name: openshift-service-ca.crt
              items:
                - key: service-ca.crt
                  path: service-ca.crt
        defaultMode: 420
  dnsPolicy: ClusterFirst
  tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    - key: node.kubernetes.io/not-ready
      operator: Exists
      effect: NoExecute
    - key: node.kubernetes.io/unreachable
      operator: Exists
      effect: NoExecute
    - key: node.kubernetes.io/disk-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/memory-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/pid-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/unschedulable
      operator: Exists
      effect: NoSchedule
status:
  containerStatuses:
    - name: falco
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falco-no-driver:0.34.1'
      imageID: ''
      started: false
    - name: falcoctl-artifact-follow
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      imageID: ''
      started: false
  qosClass: Burstable
  podIPs:
    - ip: 10.128.1.66
  podIP: 10.128.1.66
  hostIP: 10.10.1.119
  startTime: '2023-03-12T17:37:00Z'
  initContainerStatuses:
    - name: falco-driver-loader
      state:
        waiting:
          reason: CrashLoopBackOff
          message: >-
            back-off 2m40s restarting failed container=falco-driver-loader
            pod=falco-gj6sm_stakater-falco(b7a071e5-c92a-47cf-9778-b240ef300f23)
      lastState:
        terminated:
          exitCode: 1
          reason: Error
          startedAt: '2023-03-12T17:40:12Z'
          finishedAt: '2023-03-12T17:40:13Z'
          containerID: >-
            cri-o://19cebd2aff47e86d223691d979aaaadf1f37bb52ba271a28896814d175b0076d
      ready: false
      restartCount: 5
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      imageID: >-
        docker.io/falcosecurity/falco-driver-loader@sha256:1bcd4984b3748af1a48c585fb3ee94953a4f2a7ece0750895ad6c28355532d45
      containerID: 'cri-o://19cebd2aff47e86d223691d979aaaadf1f37bb52ba271a28896814d175b0076d'
    - name: falcoctl-artifact-install
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      imageID: ''
  conditions:
    - type: Initialized
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
      reason: ContainersNotInitialized
      message: >-
        containers with incomplete status: [falco-driver-loader
        falcoctl-artifact-install]
    - type: Ready
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
      reason: ContainersNotReady
      message: 'containers with unready status: [falco falcoctl-artifact-follow]'
    - type: ContainersReady
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
      reason: ContainersNotReady
      message: 'containers with unready status: [falco falcoctl-artifact-follow]'
    - type: PodScheduled
      status: 'True'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
  phase: Pending

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment