falcosecurity · poiana · Jan 30, 2024 · Dec 22, 2023 · Dec 22, 2023 · Jan 2, 2024
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,6 +14,8 @@ jobs:
 
       - name: Set up Helm
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: '3.10.3'
 
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
@@ -78,5 +80,8 @@ jobs:
           go-version: '1.21'
           check-latest: true
 
-      - name: k8s-metacollector unit tests
+      - name: K8s-metacollector unit tests
         run: go test ./charts/k8s-metacollector/tests/unit/...
+
+      - name: Falco unit tests
+        run: go test ./charts/falco/tests/unit/...
diff --git a/charts/falco/BREAKING-CHANGES.md b/charts/falco/BREAKING-CHANGES.md
@@ -1,11 +1,45 @@
 # Helm chart Breaking Changes
-
+ - [4.0.0](#400)
+   - [Drivers](#drivers)
+   - [K8s Collector](#k8s-collector)
+   - [Plugins](#plugins)
  - [3.0.0](#300)
     - [Falcoctl](#falcoctl-support)
     - [Rulesfiles](#rulesfiles)
     - [Falco Images](#drop-support-for-falcosecurityfalco-image)
     - [Driver Loader Init Container](#driver-loader-simplified-logic)
 
+## 4.0.0
+### Drivers
+The `driver` section has been reworked based on the following PR: https://github.com/falcosecurity/falco/pull/2413. 
+It is an attempt to uniform how a driver is configured in Falco. 
+It also groups the configuration based on the driver type.
+Some of the drivers has been renamed:
+* kernel modules has been renamed from `module` to `kmod`;
+* the ebpf probe has not been changed. It's still `ebpf`;
+* the modern ebpf probe has been renamed from `modern-bpf` to `modern_ebpf`.
+
+The `gvisor` configuration has been moved under the `driver` section since it is considered a driver on its own.
+
+### K8s Collector
+The old Kubernetes client has been removed in Falco 0.37.0. For more info checkout this issue: https://github.com/falcosecurity/falco/issues/2973#issuecomment-1877803422.
+The [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) and [k8s-meta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) substitute
+the old implementation. 
+
+The following resources needed by Falco to connect to the API server are no longer needed and has been removed from the chart:
+* service account;
+* cluster role;
+* cluster role binding.
+
+When the `collectors.kubernetes` is enabled the chart deploys the [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) and configures Falco to load the
+[k8s-meta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin.
+
+By default, the `collectors.kubernetes.enabled` is off; for more info, see the following issue: https://github.com/falcosecurity/falco/issues/2995.
+
+### Plugins
+The Falco docker image does not ship anymore the plugins: https://github.com/falcosecurity/falco/pull/2997. 
+For this reason, the `resolveDeps` is now enabled in relevant values files (ie. `values-k8saudit.yaml`). 
+When installing `rulesfile` artifacts `falcoctl` will try to resolve its dependencies and install the required plugins.
 
 ## 3.0.0
 The new chart deploys new *k8s* resources and new configuration variables have been added to the `values.yaml` file. People upgrading the chart from `v2.x.y` have to port their configuration variables to the new `values.yaml` file used by the `v3.0.0` chart.

diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md
@@ -3,6 +3,17 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.0.0
+The new chart introduces some breaking changes. For folks upgrading Falco please see the BREAKING-CHANGES.md file.
+
+* Uniform driver names and configuration to the Falco one: https://github.com/falcosecurity/falco/pull/2413;
+* Fix usernames and groupnames resolution by mounting the `/etc` filesystem;
+* Drop old kubernetes collector related resources;
+* Introduce the new k8s-metacollector and k8smeta plugin (experimental);
+* Enable the dependency resolver for artifacts in falcoctl since the Falco image does not ship anymore the plugins;
+* Bump Falco to 0.37.0;
+* Bump falcoctl to 0.7.0.
+
 ## v3.8.7
 
 *  Upgrade falcosidekick chart to `v0.7.11`.

diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: falco
-version: 3.8.7
-appVersion: "0.36.2"
+version: 4.0.0
+appVersion: "0.37.0"
 description: Falco
 keywords:
   - monitoring
@@ -22,3 +22,7 @@ dependencies:
     version: "0.7.11"
     condition: falcosidekick.enabled
     repository: https://falcosecurity.github.io/charts
+  - name: k8s-metacollector
+    version: 0.1.*
+    repository: https://falcosecurity.github.io/charts
+    condition: collectors.kubernetes.enabled
diff --git a/charts/falco/README.gotmpl b/charts/falco/README.gotmpl
@@ -87,12 +87,13 @@ Note that **the driver is not required when using plugins**.
 gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system. For more information please consult the [official docs](https://gvisor.dev/docs/). In version `0.32.1`, Falco first introduced support for gVisor by leveraging the stream of system call information coming from gVisor.
 Falco requires the version of [runsc](https://gvisor.dev/docs/user_guide/install/) to be equal to or above `20220704.0`. The following snippet shows the gVisor configuration variables found in `values.yaml`:
 ```yaml
-gvisor:
-  enabled: true
-  runsc:
-    path: /home/containerd/usr/local/sbin
-    root: /run/containerd/runsc
-    config: /run/containerd/runsc/config.toml
+driver:
+  gvisor:
+    enabled: true
+    runsc:
+      path: /home/containerd/usr/local/sbin
+      root: /run/containerd/runsc
+      config: /run/containerd/runsc/config.toml
 ```
 Falco uses the [runsc](https://gvisor.dev/docs/user_guide/install/) binary to interact with sandboxed containers. The following variables need to be set:
 * `runsc.path`: absolute path of the `runsc` binary in the k8s nodes;
@@ -142,20 +143,21 @@ When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. B
 
 To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart:
 
-```yaml
-driver:
-  enabled: true
-  kind: module
+```bash
+helm install falco falcosecurity/falco \
+    --create-namespace \
+    --namespace falco
 ```
 
 **eBPF probe**
 
 To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet:
 
-```yaml
-driver:
-  enabled: true
-  kind: ebpf
+```bash
+helm install falco falcosecurity/falco \
+    --create-namespace \
+    --namespace falco \
+    --set driver.kind=ebpf
 ```
 
 There are other configurations related to the eBPF probe, for more info please check the `values.yaml` file. After you have made your changes to the configuration file you just need to run:
@@ -168,10 +170,11 @@ helm install falco falcosecurity/falco --namespace "your-custom-name-space" --cr
 
 To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern-bpf` as shown in the following snippet:
 
-```yaml
-driver:
-  enabled: true
-  kind: modern-bpf
+```bash
+helm install falco falcosecurity/falco \
+    --create-namespace \
+    --namespace falco \
+    --set driver.kind=modern_ebpf
 ```
 
 #### Deployment
@@ -211,6 +214,54 @@ A scenario when we need the `-p (--previous)` flag is when we have a restart of
 ### Enabling real time logs
 By default in Falco the output is buffered. When live streaming logs we will notice delays between the logs output (rules triggering) and the event happening.
 In order to enable the logs to be emitted without delays you need to set `.Values.tty=true` in `values.yaml` file.
+
+## K8s-metacollector
+Starting from Falco `0.37` the old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) has been removed.
+A new component named [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) replaces it.
+The *k8s-metacollector* is a self-contained module that can be deployed within a Kubernetes cluster to perform the task of gathering metadata
+from various Kubernetes resources and subsequently transmitting this collected metadata to designated subscribers.
+
+Kubernetes' resources for which metadata will be collected and sent to Falco:
+* pods;
+* namespaces;
+* deployments;
+* replicationcontrollers;
+* replicasets;
+* services;
+
+### Plugin
+Since the *k8s-metacollector* is standalone, deployed in the cluster as a deployment, Falco instances need to connect to the component
+in order to retrieve the `metadata`. Here it comes the [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin.
+The plugin gathers details about Kubernetes resources from the *k8s-metacollector*. It then stores this information
+in tables and provides access to Falco upon request. The plugin specifically acquires data for the node where the
+associated Falco instance is deployed, resulting in node-level granularity.
+
+### Exported Fields: Old and New
+The old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) used to populate the
+[k8s](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s) fields. The **k8s** field class is still
+available in Falco, for compatibility reasons, but most of the fields will return `N/A`. The following fields are still
+usable and will return meaningful data when the `container runtime collectors` are enabled:
+* k8s.pod.name;
+* k8s.pod.id;
+* k8s.pod.label;
+* k8s.pod.labels;
+* k8s.pod.ip;
+* k8s.pod.cni.json;
+* k8s.pod.namespace.name;
+
+The [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin exports a whole new
+[field class]https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta#supported-fields. Note that the new
+`k8smeta.*` fields are usable only when the **k8smeta** plugin is loaded in Falco.
+
+### Enabling the k8s-metacollector
+The following command will deploy Falco + k8s-metacollector + k8smeta:
+```bash
+helm install falco falcosecurity/falco \
+    --namespace falco \
+    --create-namespace \
+    --set collectors.kubernetes.enabled=true
+```
+
 ## Loading custom rules
 
 Falco ships with a nice default ruleset. It is a good starting point but sooner or later, we are going to need to add custom rules which fit our needs.