├── OWNERS ├── kubernetes ├── event-generator │ ├── kustomization.yaml │ └── templates │ │ ├── deployment.yaml │ │ └── rbac.yaml ├── falco-exporter │ ├── kustomization.yaml │ └── templates │ │ ├── serviceaccount.yaml │ │ ├── tests │ │ └── test-connection.yaml │ │ ├── service.yaml │ │ └── daemonset.yaml ├── falco │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── role.yaml │ │ ├── roleBinding.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── falcoctl-configmap.yaml │ │ ├── clusterrole.yaml │ │ ├── configmap.yaml │ │ └── daemonset.yaml │ └── kustomization.yaml ├── falcosidekick │ ├── kustomization.yaml │ └── templates │ │ ├── secrets-ui.yaml │ │ ├── tests │ │ └── test-connection.yaml │ │ ├── service.yaml │ │ ├── rbac-ui.yaml │ │ ├── rbac.yaml │ │ ├── deployment.yaml │ │ ├── secrets.yaml │ │ └── falcosidekick-loki-dashboard-grafana.yaml └── README.md ├── archive ├── falco-k8s-audit-sink │ ├── service.yaml │ └── audit-sink.yaml.in ├── kubeadm │ ├── audit.yaml │ └── README.md └── kind │ ├── audit.yaml │ └── README.md ├── README.md ├── .github └── PULL_REQUEST_TEMPLATE.md └── LICENSE /OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - leogr 3 | - maxgio92 4 | - jasondellaluce 5 | - zuc 6 | -------------------------------------------------------------------------------- /kubernetes/event-generator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - templates/deployment.yaml 5 | - templates/rbac.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/falco-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - templates/daemonset.yaml 5 | - templates/service.yaml 6 | - templates/serviceaccount.yaml 7 | - templates/tests/test-connection.yaml 8 | -------------------------------------------------------------------------------- /archive/falco-k8s-audit-sink/service.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: falco 5 | labels: 6 | app: falco 7 | role: security 8 | spec: 9 | selector: 10 | app: falco 11 | ports: 12 | - protocol: TCP 13 | port: 8765 14 | -------------------------------------------------------------------------------- /archive/kubeadm/audit.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubeadm.k8s.io/v1beta2 2 | kind: ClusterConfiguration 3 | metadata: 4 | name: config 5 | apiServer: 6 | extraArgs: 7 | "audit-dynamic-configuration": "true" 8 | "feature-gates=DynamicAuditing": "true" 9 | "runtime-config=auditregistration.k8s.io/v1alpha1": "true" 10 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: falco 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falco-7.0.2 8 | app.kubernetes.io/name: falco 9 | app.kubernetes.io/instance: falco 10 | app.kubernetes.io/version: "0.42.1" 11 | app.kubernetes.io/managed-by: Helm 12 | --- 13 | -------------------------------------------------------------------------------- /kubernetes/falco/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - templates/clusterrole.yaml 5 | - templates/clusterrolebinding.yaml 6 | - templates/configmap.yaml 7 | - templates/daemonset.yaml 8 | - templates/falcoctl-configmap.yaml 9 | - templates/role.yaml 10 | - templates/roleBinding.yaml 11 | - templates/serviceaccount.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - templates/deployment.yaml 5 | - templates/falcosidekick-loki-dashboard-grafana.yaml 6 | - templates/rbac-ui.yaml 7 | - templates/rbac.yaml 8 | - templates/secrets-ui.yaml 9 | - templates/secrets.yaml 10 | - templates/service.yaml 11 | - templates/tests/test-connection.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/falco-exporter/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: falco-exporter 5 | labels: 6 | app.kubernetes.io/name: falco-exporter 7 | app.kubernetes.io/instance: falco-exporter 8 | app.kubernetes.io/version: "0.8.7" 9 | app.kubernetes.io/managed-by: Helm 10 | helm.sh/chart: falco-exporter-0.12.2 11 | namespace: default 12 | --- 13 | -------------------------------------------------------------------------------- /archive/falco-k8s-audit-sink/audit-sink.yaml.in: -------------------------------------------------------------------------------- 1 | apiVersion: auditregistration.k8s.io/v1alpha1 2 | kind: AuditSink 3 | metadata: 4 | name: falco-audit-sink 5 | spec: 6 | policy: 7 | level: RequestResponse 8 | stages: 9 | - ResponseComplete 10 | - ResponseStarted 11 | webhook: 12 | throttle: 13 | qps: 10 14 | burst: 15 15 | clientConfig: 16 | url: "http://$FALCO_SERVICE_IP:8765/k8s-audit" 17 | -------------------------------------------------------------------------------- /archive/kind/audit.yaml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | apiVersion: kind.x-k8s.io/v1alpha4 3 | nodes: 4 | - role: control-plane 5 | kubeadmConfigPatches: 6 | - | 7 | kind: ClusterConfiguration 8 | metadata: 9 | name: config 10 | apiServer: 11 | extraArgs: 12 | "audit-dynamic-configuration": "true" 13 | "feature-gates=DynamicAuditing": "true" 14 | "runtime-config=auditregistration.k8s.io/v1alpha1": "true" 15 | - role: worker 16 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/role.yaml: -------------------------------------------------------------------------------- 1 | kind: Role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: falco 5 | labels: 6 | helm.sh/chart: falco-7.0.2 7 | app.kubernetes.io/name: falco 8 | app.kubernetes.io/instance: falco 9 | app.kubernetes.io/version: "0.42.1" 10 | app.kubernetes.io/managed-by: Helm 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - configmaps 16 | verbs: 17 | - get 18 | - list 19 | - update 20 | --- 21 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/secrets-ui.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: falcosidekick-ui-redis 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falcosidekick-0.8.2 8 | app.kubernetes.io/name: falcosidekick 9 | app.kubernetes.io/instance: falcosidekick 10 | app.kubernetes.io/version: "2.29.0" 11 | app.kubernetes.io/part-of: falcosidekick 12 | app.kubernetes.io/managed-by: Helm 13 | app.kubernetes.io/component: ui 14 | annotations: 15 | type: Opaque 16 | data: 17 | --- 18 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/roleBinding.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: falco 5 | labels: 6 | helm.sh/chart: falco-7.0.2 7 | app.kubernetes.io/name: falco 8 | app.kubernetes.io/instance: falco 9 | app.kubernetes.io/version: "0.42.1" 10 | app.kubernetes.io/managed-by: Helm 11 | subjects: 12 | - kind: ServiceAccount 13 | name: falco 14 | namespace: default 15 | roleRef: 16 | kind: Role 17 | name: falco 18 | apiGroup: rbac.authorization.k8s.io 19 | --- 20 | -------------------------------------------------------------------------------- /archive/kubeadm/README.md: -------------------------------------------------------------------------------- 1 | # Example Kubeadm configuration for Kubernetes dynamic auditing 2 | 3 | This Kubeadm set the related required API Server in order to: 4 | - enable the dynamic audit configuration 5 | - enable the `DynamicAuditing` feature gate 6 | - enable the `auditregistration.k8s.io/v1alpha1` API 7 | 8 | Anyway, these `kube-apiserver` flags are required whether or not you set up Kubernetes with `kubeadm` in order to [audit Kubernetes Events](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) and send them to the Falco dynamic Audit Backend. 9 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: falco 5 | labels: 6 | helm.sh/chart: falco-3.8.7 7 | app.kubernetes.io/name: falco 8 | app.kubernetes.io/instance: falco 9 | app.kubernetes.io/version: "0.36.2" 10 | app.kubernetes.io/managed-by: Helm 11 | subjects: 12 | - kind: ServiceAccount 13 | name: falco 14 | namespace: default 15 | roleRef: 16 | kind: ClusterRole 17 | name: falco 18 | apiGroup: rbac.authorization.k8s.io 19 | --- 20 | -------------------------------------------------------------------------------- /archive/kind/README.md: -------------------------------------------------------------------------------- 1 | # Example Kind configuration for Kubernetes dynamic auditing 2 | 3 | This Kind configuration patches the Kubeadm configuration in order to set the required API Server flags and: 4 | - enable the dynamic audit configuration 5 | - enable the `DynamicAuditing` feature gate 6 | - enable the `auditregistration.k8s.io/v1alpha1` API 7 | 8 | Anyway, these `kube-apiserver` flags are required whether or not you set up Kubernetes with `kind` in order to [audit Kubernetes Events](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) and send them to the Falco dynamic Audit Backend. 9 | -------------------------------------------------------------------------------- /kubernetes/falco-exporter/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "falco-exporter-test-connection" 5 | labels: 6 | app.kubernetes.io/name: falco-exporter 7 | app.kubernetes.io/instance: falco-exporter 8 | app.kubernetes.io/version: "0.5.0" 9 | app.kubernetes.io/managed-by: Helm 10 | helm.sh/chart: falco-exporter-0.5.1 11 | annotations: 12 | "helm.sh/hook": test-success 13 | spec: 14 | containers: 15 | - name: wget 16 | image: busybox 17 | command: ['wget'] 18 | args: ['falco-exporter:9376'] 19 | restartPolicy: Never 20 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "falcosidekick-test-connection" 5 | namespace: default 6 | labels: 7 | app.kubernetes.io/name: falcosidekick 8 | helm.sh/chart: falcosidekick-0.2.9 9 | app.kubernetes.io/instance: falcosidekick 10 | app.kubernetes.io/managed-by: Helm 11 | annotations: 12 | "helm.sh/hook": test-success 13 | spec: 14 | containers: 15 | - name: curl 16 | image: appropriate/curl 17 | command: ['curl'] 18 | args: ["-X", "POST", 'falcosidekick:2801/ping'] 19 | restartPolicy: Never 20 | -------------------------------------------------------------------------------- /kubernetes/falco-exporter/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: falco-exporter 5 | annotations: 6 | prometheus.io/port: "9376" 7 | prometheus.io/scrape: "true" 8 | labels: 9 | app.kubernetes.io/name: falco-exporter 10 | app.kubernetes.io/instance: falco-exporter 11 | app.kubernetes.io/version: "0.8.7" 12 | app.kubernetes.io/managed-by: Helm 13 | helm.sh/chart: falco-exporter-0.12.2 14 | namespace: default 15 | spec: 16 | clusterIP: None 17 | type: ClusterIP 18 | ports: 19 | - port: 9376 20 | targetPort: 9376 21 | protocol: TCP 22 | name: metrics 23 | selector: 24 | app.kubernetes.io/name: falco-exporter 25 | app.kubernetes.io/instance: falco-exporter 26 | --- 27 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: falcosidekick 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falcosidekick-0.11.1 8 | app.kubernetes.io/name: falcosidekick 9 | app.kubernetes.io/instance: falcosidekick 10 | app.kubernetes.io/version: "2.31.1" 11 | app.kubernetes.io/part-of: falcosidekick 12 | app.kubernetes.io/managed-by: Helm 13 | app.kubernetes.io/component: core 14 | annotations: 15 | prometheus.io/scrape: "true" 16 | spec: 17 | type: ClusterIP 18 | ports: 19 | - port: 2801 20 | targetPort: http 21 | protocol: TCP 22 | name: http 23 | - port: 2810 24 | targetPort: http-notls 25 | protocol: TCP 26 | name: http-notls 27 | selector: 28 | app.kubernetes.io/name: falcosidekick 29 | app.kubernetes.io/instance: falcosidekick 30 | app.kubernetes.io/component: core 31 | --- 32 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/falcoctl-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: falco-falcoctl 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falco-7.0.2 8 | app.kubernetes.io/name: falco 9 | app.kubernetes.io/instance: falco 10 | app.kubernetes.io/version: "0.42.1" 11 | app.kubernetes.io/managed-by: Helm 12 | data: 13 | falcoctl.yaml: |- 14 | artifact: 15 | allowedTypes: 16 | - rulesfile 17 | - plugin 18 | follow: 19 | every: 168h 20 | falcoversions: http://localhost:8765/versions 21 | pluginsDir: /plugins 22 | refs: 23 | - falco-rules:5 24 | rulesfilesDir: /rulesfiles 25 | install: 26 | pluginsDir: /plugins 27 | refs: 28 | - falco-rules:5 29 | - ghcr.io/falcosecurity/plugins/plugin/container:0.4.1 30 | resolveDeps: true 31 | rulesfilesDir: /rulesfiles 32 | indexes: 33 | - name: falcosecurity 34 | url: https://falcosecurity.github.io/falcoctl/index.yaml 35 | --- 36 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: falco 5 | labels: 6 | helm.sh/chart: falco-3.8.7 7 | app.kubernetes.io/name: falco 8 | app.kubernetes.io/instance: falco 9 | app.kubernetes.io/version: "0.36.2" 10 | app.kubernetes.io/managed-by: Helm 11 | rules: 12 | - apiGroups: 13 | - extensions 14 | - "" 15 | resources: 16 | - nodes 17 | - namespaces 18 | - pods 19 | - replicationcontrollers 20 | - replicasets 21 | - services 22 | - daemonsets 23 | - deployments 24 | - events 25 | - configmaps 26 | verbs: 27 | - get 28 | - list 29 | - watch 30 | - apiGroups: 31 | - apps 32 | resources: 33 | - daemonsets 34 | - deployments 35 | - replicasets 36 | - statefulsets 37 | verbs: 38 | - get 39 | - list 40 | - watch 41 | - nonResourceURLs: 42 | - /healthz 43 | - /healthz/* 44 | verbs: 45 | - get 46 | --- 47 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Deployment Files 2 | 3 | [![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) 4 | [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) 5 | 6 | This GitHub project contains some examples of Kubernetes manifest files to help you deploying [Falco](https://github.com/falcosecurity/falco), as shown in the [documentation](https://falco.org/docs/getting-started/deployment/) 7 | 8 | These resource definitions are automatically generated from the Helm chart located at the [charts repo](https://github.com/falcosecurity/charts) and it is strongly recommended that they are considered as templates, not as final resources to deploy Falco. 9 | 10 | For ease of use, they are referenced by a [kustomization.yaml](https://github.com/vjjmiras/deploy-kubernetes/blob/main/kubernetes/falco/kustomization.yaml) file, but they can also be used individually. There are more detailed steps under the `kubernetes/` directory. 11 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/rbac-ui.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: falcosidekick-ui 5 | namespace: default 6 | labels: 7 | app.kubernetes.io/name: falcosidekick-ui 8 | helm.sh/chart: falcosidekick-0.7.8 9 | app.kubernetes.io/instance: falcosidekick 10 | app.kubernetes.io/managed-by: Helm 11 | --- 12 | apiVersion: rbac.authorization.k8s.io/v1 13 | kind: Role 14 | metadata: 15 | name: falcosidekick-ui 16 | namespace: default 17 | labels: 18 | app.kubernetes.io/name: falcosidekick-ui 19 | helm.sh/chart: falcosidekick-0.7.8 20 | app.kubernetes.io/instance: falcosidekick 21 | app.kubernetes.io/managed-by: Helm 22 | rules: [] 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: RoleBinding 26 | metadata: 27 | name: falcosidekick-ui 28 | namespace: default 29 | labels: 30 | app.kubernetes.io/name: falcosidekick-ui 31 | helm.sh/chart: falcosidekick-0.7.8 32 | app.kubernetes.io/instance: falcosidekick 33 | app.kubernetes.io/managed-by: Helm 34 | roleRef: 35 | apiGroup: rbac.authorization.k8s.io 36 | kind: Role 37 | name: falcosidekick-ui 38 | subjects: 39 | - kind: ServiceAccount 40 | name: falcosidekick-ui 41 | --- 42 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: falcosidekick 5 | namespace: default 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: Role 9 | metadata: 10 | name: falcosidekick 11 | namespace: default 12 | labels: 13 | helm.sh/chart: falcosidekick-0.11.1 14 | app.kubernetes.io/name: falcosidekick 15 | app.kubernetes.io/instance: falcosidekick 16 | app.kubernetes.io/version: "2.31.1" 17 | app.kubernetes.io/part-of: falcosidekick 18 | app.kubernetes.io/managed-by: Helm 19 | app.kubernetes.io/component: core 20 | annotations: 21 | rules: 22 | - apiGroups: 23 | - "" 24 | resources: 25 | - endpoints 26 | verbs: 27 | - get 28 | --- 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | kind: RoleBinding 31 | metadata: 32 | name: falcosidekick 33 | namespace: default 34 | labels: 35 | helm.sh/chart: falcosidekick-0.11.1 36 | app.kubernetes.io/name: falcosidekick 37 | app.kubernetes.io/instance: falcosidekick 38 | app.kubernetes.io/version: "2.31.1" 39 | app.kubernetes.io/part-of: falcosidekick 40 | app.kubernetes.io/managed-by: Helm 41 | app.kubernetes.io/component: core 42 | roleRef: 43 | apiGroup: rbac.authorization.k8s.io 44 | kind: Role 45 | name: falcosidekick 46 | subjects: 47 | - kind: ServiceAccount 48 | name: falcosidekick 49 | --- 50 | -------------------------------------------------------------------------------- /kubernetes/event-generator/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: event-generator 5 | labels: 6 | helm.sh/chart: event-generator-0.3.4 7 | app.kubernetes.io/name: "event-generator" 8 | app.kubernetes.io/instance: "event-generator" 9 | app.kubernetes.io/part-of: "event-generator" 10 | app.kubernetes.io/version: "0.10.0" 11 | app.kubernetes.io/managed-by: "Helm" 12 | spec: 13 | replicas: 1 14 | selector: 15 | matchLabels: 16 | app.kubernetes.io/name: "event-generator" 17 | app.kubernetes.io/instance: "event-generator" 18 | app.kubernetes.io/part-of: "event-generator" 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/name: "event-generator" 23 | app.kubernetes.io/instance: "event-generator" 24 | app.kubernetes.io/part-of: "event-generator" 25 | spec: 26 | serviceAccountName: event-generator 27 | securityContext: 28 | {} 29 | containers: 30 | - name: event-generator 31 | securityContext: 32 | {} 33 | image: "falcosecurity/event-generator:latest" 34 | imagePullPolicy: IfNotPresent 35 | command: 36 | - /bin/event-generator 37 | - run 38 | - --all 39 | - ^syscall 40 | - --loop 41 | env: 42 | - name: FALCO_EVENT_GENERATOR_NAMESPACE 43 | valueFrom: 44 | fieldRef: 45 | fieldPath: metadata.namespace 46 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | **What type of PR is this?** 9 | 10 | > Uncomment one (or more) `/kind <>` lines: 11 | 12 | > /kind bug 13 | 14 | > /kind cleanup 15 | 16 | > /kind design 17 | 18 | > /kind documentation 19 | 20 | > /kind update 21 | 22 | > /kind feature 23 | 24 | 25 | 28 | 29 | **Any specific area of the project related to this PR?** 30 | 31 | > Uncomment one (or more) `/area <>` lines: 32 | 33 | > /area manifests 34 | 35 | > /area documentation 36 | 37 | 40 | 41 | **What this PR does / why we need it**: 42 | 43 | **Which issue(s) this PR fixes**: 44 | 45 | 50 | 51 | Fixes # 52 | 53 | **Special notes for your reviewer**: -------------------------------------------------------------------------------- /kubernetes/event-generator/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: event-generator 5 | labels: 6 | helm.sh/chart: event-generator-0.3.4 7 | app.kubernetes.io/name: "event-generator" 8 | app.kubernetes.io/instance: "event-generator" 9 | app.kubernetes.io/part-of: "event-generator" 10 | app.kubernetes.io/version: "0.10.0" 11 | app.kubernetes.io/managed-by: "Helm" 12 | --- 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | kind: ClusterRole 15 | metadata: 16 | name: event-generator 17 | labels: 18 | helm.sh/chart: event-generator-0.3.4 19 | app.kubernetes.io/name: "event-generator" 20 | app.kubernetes.io/instance: "event-generator" 21 | app.kubernetes.io/part-of: "event-generator" 22 | app.kubernetes.io/version: "0.10.0" 23 | app.kubernetes.io/managed-by: "Helm" 24 | rules: 25 | - apiGroups: 26 | - "" 27 | resources: 28 | - configmaps 29 | - services 30 | - serviceaccounts 31 | - pods 32 | verbs: 33 | - list 34 | - get 35 | - create 36 | - delete 37 | - apiGroups: 38 | - apps 39 | - extensions 40 | resources: 41 | - deployments 42 | verbs: 43 | - list 44 | - get 45 | - create 46 | - delete 47 | - apiGroups: 48 | - rbac.authorization.k8s.io 49 | resources: 50 | - roles 51 | - rolebindings 52 | verbs: 53 | - get 54 | - list 55 | - create 56 | - delete 57 | - apiGroups: 58 | - "" 59 | resources: 60 | - pods/exec 61 | verbs: 62 | - get 63 | - apiGroups: 64 | - "" 65 | resources: 66 | - '*' 67 | verbs: 68 | - get 69 | --- 70 | apiVersion: rbac.authorization.k8s.io/v1 71 | kind: RoleBinding 72 | metadata: 73 | name: event-generator 74 | labels: 75 | helm.sh/chart: event-generator-0.3.4 76 | app.kubernetes.io/name: "event-generator" 77 | app.kubernetes.io/instance: "event-generator" 78 | app.kubernetes.io/part-of: "event-generator" 79 | app.kubernetes.io/version: "0.10.0" 80 | app.kubernetes.io/managed-by: "Helm" 81 | subjects: 82 | - kind: ServiceAccount 83 | name: event-generator 84 | namespace: default 85 | roleRef: 86 | kind: ClusterRole 87 | name: event-generator 88 | apiGroup: rbac.authorization.k8s.io 89 | --- 90 | -------------------------------------------------------------------------------- /kubernetes/falco-exporter/templates/daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: falco-exporter 5 | labels: 6 | app.kubernetes.io/name: falco-exporter 7 | app.kubernetes.io/instance: falco-exporter 8 | app.kubernetes.io/version: "0.8.7" 9 | app.kubernetes.io/managed-by: Helm 10 | helm.sh/chart: falco-exporter-0.12.2 11 | namespace: default 12 | spec: 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/name: falco-exporter 16 | app.kubernetes.io/instance: falco-exporter 17 | updateStrategy: 18 | type: RollingUpdate 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/name: falco-exporter 23 | app.kubernetes.io/instance: falco-exporter 24 | spec: 25 | serviceAccountName: falco-exporter 26 | securityContext: 27 | {} 28 | containers: 29 | - name: falco-exporter 30 | securityContext: 31 | allowPrivilegeEscalation: false 32 | capabilities: 33 | drop: 34 | - ALL 35 | privileged: false 36 | readOnlyRootFilesystem: true 37 | seccompProfile: 38 | type: RuntimeDefault 39 | image: "docker.io/falcosecurity/falco-exporter:0.8.3" 40 | imagePullPolicy: IfNotPresent 41 | args: 42 | - /usr/bin/falco-exporter 43 | - --client-socket=unix:///run/falco/falco.sock 44 | - --timeout=2m 45 | - --listen-address=0.0.0.0:9376 46 | ports: 47 | - name: metrics 48 | containerPort: 9376 49 | protocol: TCP 50 | livenessProbe: 51 | initialDelaySeconds: 60 52 | timeoutSeconds: 5 53 | periodSeconds: 15 54 | httpGet: 55 | path: /liveness 56 | port: 19376 57 | readinessProbe: 58 | initialDelaySeconds: 30 59 | timeoutSeconds: 5 60 | periodSeconds: 15 61 | httpGet: 62 | path: /readiness 63 | port: 19376 64 | resources: 65 | {} 66 | volumeMounts: 67 | - mountPath: /run/falco 68 | name: falco-socket-dir 69 | readOnly: true 70 | volumes: 71 | - name: falco-socket-dir 72 | hostPath: 73 | path: /run/falco 74 | tolerations: 75 | - effect: NoSchedule 76 | key: node-role.kubernetes.io/master 77 | - effect: NoSchedule 78 | key: node-role.kubernetes.io/control-plane 79 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: falcosidekick 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falcosidekick-0.11.1 8 | app.kubernetes.io/name: falcosidekick 9 | app.kubernetes.io/instance: falcosidekick 10 | app.kubernetes.io/version: "2.31.1" 11 | app.kubernetes.io/part-of: falcosidekick 12 | app.kubernetes.io/managed-by: Helm 13 | app.kubernetes.io/component: core 14 | annotations: 15 | spec: 16 | replicas: 2 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/name: falcosidekick 20 | app.kubernetes.io/instance: falcosidekick 21 | app.kubernetes.io/component: core 22 | template: 23 | metadata: 24 | labels: 25 | helm.sh/chart: falcosidekick-0.11.1 26 | app.kubernetes.io/name: falcosidekick 27 | app.kubernetes.io/instance: falcosidekick 28 | app.kubernetes.io/version: "2.31.1" 29 | app.kubernetes.io/part-of: falcosidekick 30 | app.kubernetes.io/managed-by: Helm 31 | app.kubernetes.io/component: core 32 | annotations: 33 | checksum/config: ea13152dd2705f31511cf25a57cab961bca8a9b0020ad30af7c837f6764f5684 34 | spec: 35 | serviceAccountName: falcosidekick 36 | securityContext: 37 | fsGroup: 1234 38 | runAsUser: 1234 39 | containers: 40 | - name: falcosidekick 41 | image: "docker.io/falcosecurity/falcosidekick:2.32.0" 42 | imagePullPolicy: IfNotPresent 43 | ports: 44 | - name: http 45 | containerPort: 2801 46 | protocol: TCP 47 | livenessProbe: 48 | httpGet: 49 | path: /ping 50 | port: http 51 | initialDelaySeconds: 10 52 | periodSeconds: 5 53 | readinessProbe: 54 | httpGet: 55 | path: /ping 56 | port: http 57 | initialDelaySeconds: 10 58 | periodSeconds: 5 59 | envFrom: 60 | - secretRef: 61 | name: falcosidekick 62 | env: 63 | - name: DEBUG 64 | value: "false" 65 | - name: CUSTOMFIELDS 66 | value: "" 67 | - name: TEMPLATEDFIELDS 68 | value: "" 69 | - name: CUSTOMTAGS 70 | value: "" 71 | - name: OUTPUTFIELDFORMAT 72 | value: "" 73 | - name: BRACKETREPLACER 74 | value: "" 75 | - name: MUTUALTLSFILESPATH 76 | value: "/etc/certs" 77 | - name: MUTUALTLSCLIENT_CERTFILE 78 | value: "" 79 | - name: MUTUALTLSCLIENT_KEYFILE 80 | value: "" 81 | - name: MUTUALTLSCLIENT_CACERTFILE 82 | value: "" 83 | - name: TLSCLIENT_CACERTFILE 84 | value: "" 85 | resources: 86 | {} 87 | -------------------------------------------------------------------------------- /kubernetes/README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Manifest Files 2 | 3 | Under this directory, you can find the Kubernetes manifest files to deploy Falco and its components. 4 | 5 | ## Falco 6 | 7 | The [./falco](./falco) directory gives you the required YAML files to stand up Falco on Kubernetes as a DaemonSet. This will result in a Falco Pod being deployed to each node, and thus the ability to monitor any running containers for abnormal behavior. 8 | 9 | ### Prerequisites and Template Limitations 10 | 11 | The default configuration in Falco utilizes the kernel module driver (`kmod`). The template daemonset setup in this repository is configured to deploy to the `default` namespace. To modify [falco.yaml](https://github.com/falcosecurity/falco/blob/master/falco.yaml) settings or experiment with different kernel drivers, refer to the [Install and Operate Guides](https://falco.org/docs/install-operate/), specifically the [Kubernetes Deployment](https://falco.org/docs/install-operate/deployment/) page. These guides provide insights on adjusting Falco's settings to suit various drivers, along with prerequisites for each. Also, check out the [libs](https://github.com/falcosecurity/libs) repository that contains the sources for each driver. 12 | 13 | For additional guidance on using Falco in Kubernetes or benchmarking within a testbed, consider exploring the repository at https://github.com/falcosecurity/cncf-green-review-testing. Please note that the repository primarily focuses on testbed benchmarking, and as a result, the setup might not be best for real-world use. 14 | 15 | __NOTE__: Running Falco with the `modern_ebpf` driver does not require downloading or building a driver because it is already bundled within the userspace binary. This capability is enabled by the newer CORE (Compile Once - Run Everywhere) BPF feature and works only on more recent kernels (>= 5.8). As a result you, don't need the `falco-driver-loader` init container for Falco with `modern_ebpf`. 16 | 17 | __NOTE__: Please refer to our [documentation]( https://falco.org/docs/install-operate/third-party/learning/#minikube) to learn more about localhost testing limitations. 18 | 19 | ### What's Included in the `falco` Deployment? 20 | 21 | **initContainers** 22 | - `falco-driver-loader`: Downloads the kernel driver or attempts to build it on-the-fly. 23 | - `falcoctl-artifact-install`: Downloads default rules and installs falcoctl along with other artifacts like plugins. 24 | 25 | 26 | **containers** 27 | - `falco`: Executes the Falco binary. 28 | - `falcoctl-artifact-follow`: Utilizes falcoctl's functionality to watch for updated rules. 29 | 30 | The template daemonset setup does not handle the method of extracting Falco logs from the container to their final destination (such as a data lake or SIEM). 31 | 32 | ### Deploy to Kubernetes 33 | 34 | Launch the deployment with [kustomize](https://kustomize.io/): 35 | 36 | ``` 37 | kubectl apply -k falco 38 | ``` 39 | 40 | Tear Down would be: 41 | 42 | ``` 43 | kubectl delete -k ./falco 44 | ``` 45 | 46 | ### Verify the Installation 47 | 48 | In order to test that Falco is working correctly, you can, for instance, launch a shell in any Pod. Right after it, you should be able to see a message in the logs of the Falco Pod. 49 | 50 | ``` 51 | $ kubectl -n default get pods 52 | NAME READY STATUS RESTARTS AGE 53 | falco-74htl 1/1 Running 0 13h 54 | falco-fqz2m 1/1 Running 0 13h 55 | falco-sgjfx 1/1 Running 0 13h 56 | 57 | $ kubectl -n default exec -it falco-74htl -c falco -- bash 58 | root@falco-74htl:/# exit 59 | 60 | $ kubectl -n default -c falco logs falco-74htl 61 | 62 | {"output":"17:48:58.590038385: Notice A shell was spawned in a container with an attached terminal 63 | (user=root k8s.pod=falco-74htl container=a98c2aa8e670 shell=bash parent= cmdline=bash terminal=34816)", 64 | "priority":"Notice","rule":"Terminal shell in container","time":"2017-12-20T17:48:58.590038385Z", 65 | "output_fields": {"container.id":"a98c2aa8e670","evt.time":1513792138590038385,"k8s.pod.name":"falco-74htl", 66 | "proc.cmdline":"bash","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}} 67 | ``` 68 | 69 | Alternatively, you can deploy the [event-generator](https://github.com/falcosecurity/event-generator) application to automatically generate events that test your Falco deployment. Please note that this application will generate a large number of events. 70 | 71 | To deploy the `event-generator` in Kubernetes you can follow [these steps](https://github.com/falcosecurity/event-generator#with-kubernetes). 72 | 73 | 74 | ## Falcosidekick 75 | 76 | ``` 77 | kubectl apply -k falcosidekick 78 | ``` 79 | 80 | ## falco-exporter 81 | 82 | ``` 83 | kubectl apply -k falco-exporter 84 | ``` 85 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: falco 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falco-7.0.2 8 | app.kubernetes.io/name: falco 9 | app.kubernetes.io/instance: falco 10 | app.kubernetes.io/version: "0.42.1" 11 | app.kubernetes.io/managed-by: Helm 12 | data: 13 | falco.yaml: |- 14 | append_output: 15 | - suggested_output: true 16 | base_syscalls: 17 | all: false 18 | custom_set: [] 19 | repair: false 20 | buffer_format_base64: false 21 | buffered_outputs: false 22 | capture: 23 | default_duration: 5000 24 | enabled: false 25 | mode: rules 26 | path_prefix: /tmp/falco 27 | config_files: 28 | - /etc/falco/config.d 29 | engine: 30 | ebpf: 31 | buf_size_preset: 4 32 | drop_failed_exit: false 33 | probe: ${HOME}/.falco/falco-bpf.o 34 | kind: modern_ebpf 35 | kmod: 36 | buf_size_preset: 4 37 | drop_failed_exit: false 38 | modern_ebpf: 39 | buf_size_preset: 4 40 | cpus_for_each_buffer: 2 41 | drop_failed_exit: false 42 | falco_libs: 43 | snaplen: 80 44 | thread_table_auto_purging_interval_s: 300 45 | thread_table_auto_purging_thread_timeout_s: 300 46 | thread_table_size: 262144 47 | file_output: 48 | enabled: false 49 | filename: ./events.txt 50 | keep_alive: false 51 | grpc: 52 | bind_address: unix:///run/falco/falco.sock 53 | enabled: false 54 | threadiness: 0 55 | grpc_output: 56 | enabled: false 57 | http_output: 58 | ca_bundle: "" 59 | ca_cert: "" 60 | ca_path: /etc/falco/certs/ 61 | client_cert: /etc/falco/certs/client/client.crt 62 | client_key: /etc/falco/certs/client/client.key 63 | compress_uploads: false 64 | echo: false 65 | enabled: false 66 | insecure: false 67 | keep_alive: false 68 | max_consecutive_timeouts: 5 69 | mtls: false 70 | url: "" 71 | user_agent: falcosecurity/falco 72 | json_include_message_property: false 73 | json_include_output_fields_property: true 74 | json_include_output_property: true 75 | json_include_tags_property: true 76 | json_output: false 77 | libs_logger: 78 | enabled: true 79 | severity: info 80 | load_plugins: 81 | - container 82 | log_level: info 83 | log_stderr: true 84 | log_syslog: true 85 | output_timeout: 2000 86 | outputs_queue: 87 | capacity: 0 88 | plugins: 89 | - init_config: 90 | engines: 91 | bpm: 92 | enabled: true 93 | containerd: 94 | enabled: true 95 | sockets: 96 | - /run/host-containerd/containerd.sock 97 | cri: 98 | enabled: true 99 | sockets: 100 | - /run/containerd/containerd.sock 101 | - /run/crio/crio.sock 102 | - /run/k3s/containerd/containerd.sock 103 | - /run/host-containerd/containerd.sock 104 | docker: 105 | enabled: true 106 | sockets: 107 | - /var/run/docker.sock 108 | libvirt_lxc: 109 | enabled: true 110 | lxc: 111 | enabled: true 112 | podman: 113 | enabled: true 114 | sockets: 115 | - /run/podman/podman.sock 116 | hooks: 117 | - create 118 | label_max_len: 100 119 | with_size: false 120 | library_path: libcontainer.so 121 | name: container 122 | plugins_hostinfo: true 123 | priority: debug 124 | program_output: 125 | enabled: false 126 | keep_alive: false 127 | program: 'jq ''{text: .output}'' | curl -d @- -X POST https://hooks.slack.com/services/XXX' 128 | rule_matching: first 129 | rules_files: 130 | - /etc/falco/falco_rules.yaml 131 | - /etc/falco/falco_rules.local.yaml 132 | - /etc/falco/rules.d 133 | stdout_output: 134 | enabled: true 135 | syscall_event_drops: 136 | actions: 137 | - log 138 | - alert 139 | max_burst: 1 140 | rate: 0.03333 141 | simulate_drops: false 142 | threshold: 0.1 143 | syscall_event_timeouts: 144 | max_consecutives: 1000 145 | syslog_output: 146 | enabled: true 147 | time_format_iso_8601: false 148 | watch_config_files: true 149 | webserver: 150 | enabled: true 151 | k8s_healthz_endpoint: /healthz 152 | listen_address: 0.0.0.0 153 | listen_port: 8765 154 | prometheus_metrics_enabled: false 155 | ssl_certificate: /etc/falco/falco.pem 156 | ssl_enabled: false 157 | threadiness: 0 158 | --- 159 | -------------------------------------------------------------------------------- /kubernetes/falco/templates/daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: falco 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falco-7.0.2 8 | app.kubernetes.io/name: falco 9 | app.kubernetes.io/instance: falco 10 | app.kubernetes.io/version: "0.42.1" 11 | app.kubernetes.io/managed-by: Helm 12 | spec: 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/name: falco 16 | app.kubernetes.io/instance: falco 17 | template: 18 | metadata: 19 | name: falco 20 | labels: 21 | app.kubernetes.io/name: falco 22 | app.kubernetes.io/instance: falco 23 | annotations: 24 | checksum/config: e66ac9950418f69e96db419f58e25ed3f973256a401d7f54ef87a824248814b3 25 | checksum/rules: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 26 | checksum/certs: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 27 | spec: 28 | serviceAccountName: falco 29 | tolerations: 30 | - effect: NoSchedule 31 | key: node-role.kubernetes.io/master 32 | - effect: NoSchedule 33 | key: node-role.kubernetes.io/control-plane 34 | containers: 35 | - name: falco 36 | image: docker.io/falcosecurity/falco:0.42.1 37 | imagePullPolicy: IfNotPresent 38 | resources: 39 | limits: 40 | cpu: 1000m 41 | memory: 1024Mi 42 | requests: 43 | cpu: 100m 44 | memory: 512Mi 45 | securityContext: 46 | privileged: true 47 | args: 48 | - /usr/bin/falco 49 | env: 50 | - name: HOST_ROOT 51 | value: /host 52 | - name: FALCO_HOSTNAME 53 | valueFrom: 54 | fieldRef: 55 | fieldPath: spec.nodeName 56 | - name: FALCO_K8S_NODE_NAME 57 | valueFrom: 58 | fieldRef: 59 | fieldPath: spec.nodeName 60 | tty: false 61 | ports: 62 | - containerPort: 8765 63 | name: web 64 | protocol: TCP 65 | livenessProbe: 66 | initialDelaySeconds: 60 67 | timeoutSeconds: 5 68 | periodSeconds: 15 69 | httpGet: 70 | path: /healthz 71 | port: 8765 72 | readinessProbe: 73 | initialDelaySeconds: 30 74 | timeoutSeconds: 5 75 | periodSeconds: 15 76 | httpGet: 77 | path: /healthz 78 | port: 8765 79 | volumeMounts: 80 | - mountPath: /host/var/run/docker.sock 81 | name: container-engine-socket-0 82 | - mountPath: /host/run/podman/podman.sock 83 | name: container-engine-socket-1 84 | - mountPath: /host/run/host-containerd/containerd.sock 85 | name: container-engine-socket-2 86 | - mountPath: /host/run/containerd/containerd.sock 87 | name: container-engine-socket-3 88 | - mountPath: /host/run/crio/crio.sock 89 | name: container-engine-socket-4 90 | - mountPath: /host/run/k3s/containerd/containerd.sock 91 | name: container-engine-socket-5 92 | - mountPath: /etc/falco 93 | name: rulesfiles-install-dir 94 | - mountPath: /usr/share/falco/plugins 95 | name: plugins-install-dir 96 | - mountPath: /etc/falco/config.d 97 | name: specialized-falco-configs 98 | - mountPath: /root/.falco 99 | name: root-falco-fs 100 | - mountPath: /host/proc 101 | name: proc-fs 102 | - mountPath: /host/etc 103 | name: etc-fs 104 | readOnly: true 105 | - mountPath: /host/dev 106 | name: dev-fs 107 | readOnly: true 108 | - name: sys-module-fs 109 | mountPath: /sys/module 110 | - mountPath: /sys/kernel 111 | name: sys-fs 112 | readOnly: true 113 | - mountPath: /etc/falco/falco.yaml 114 | name: falco-yaml 115 | subPath: falco.yaml 116 | 117 | - name: falcoctl-artifact-follow 118 | image: docker.io/falcosecurity/falcoctl:0.11.4 119 | imagePullPolicy: IfNotPresent 120 | args: 121 | - artifact 122 | - follow 123 | - --log-format=json 124 | securityContext: 125 | volumeMounts: 126 | - mountPath: /plugins 127 | name: plugins-install-dir 128 | - mountPath: /rulesfiles 129 | name: rulesfiles-install-dir 130 | - mountPath: /etc/falcoctl 131 | name: falcoctl-config-volume 132 | initContainers: 133 | - name: falco-driver-loader 134 | image: docker.io/falcosecurity/falco-driver-loader:0.42.1 135 | imagePullPolicy: IfNotPresent 136 | args: 137 | - auto 138 | securityContext: 139 | privileged: true 140 | volumeMounts: 141 | - mountPath: /root/.falco 142 | name: root-falco-fs 143 | - mountPath: /host/proc 144 | name: proc-fs 145 | readOnly: true 146 | - mountPath: /host/boot 147 | name: boot-fs 148 | readOnly: true 149 | - mountPath: /host/lib/modules 150 | name: lib-modules 151 | - mountPath: /host/usr 152 | name: usr-fs 153 | readOnly: true 154 | - mountPath: /host/etc 155 | name: etc-fs 156 | readOnly: true 157 | - mountPath: /etc/falco/config.d 158 | name: specialized-falco-configs 159 | env: 160 | - name: HOST_ROOT 161 | value: /host 162 | - name: FALCOCTL_DRIVER_CONFIG_NAMESPACE 163 | valueFrom: 164 | fieldRef: 165 | fieldPath: metadata.namespace 166 | - name: FALCOCTL_DRIVER_CONFIG_CONFIGMAP 167 | value: falco 168 | - name: falcoctl-artifact-install 169 | image: docker.io/falcosecurity/falcoctl:0.11.4 170 | imagePullPolicy: IfNotPresent 171 | args: 172 | - artifact 173 | - install 174 | - --log-format=json 175 | securityContext: 176 | volumeMounts: 177 | - mountPath: /plugins 178 | name: plugins-install-dir 179 | - mountPath: /rulesfiles 180 | name: rulesfiles-install-dir 181 | - mountPath: /etc/falcoctl 182 | name: falcoctl-config-volume 183 | volumes: 184 | - hostPath: 185 | path: /var/run/docker.sock 186 | name: container-engine-socket-0 187 | - hostPath: 188 | path: /run/podman/podman.sock 189 | name: container-engine-socket-1 190 | - hostPath: 191 | path: /run/host-containerd/containerd.sock 192 | name: container-engine-socket-2 193 | - hostPath: 194 | path: /run/containerd/containerd.sock 195 | name: container-engine-socket-3 196 | - hostPath: 197 | path: /run/crio/crio.sock 198 | name: container-engine-socket-4 199 | - hostPath: 200 | path: /run/k3s/containerd/containerd.sock 201 | name: container-engine-socket-5 202 | - name: specialized-falco-configs 203 | emptyDir: {} 204 | - name: plugins-install-dir 205 | emptyDir: {} 206 | - name: rulesfiles-install-dir 207 | emptyDir: {} 208 | - name: root-falco-fs 209 | emptyDir: {} 210 | - name: boot-fs 211 | hostPath: 212 | path: /boot 213 | - name: lib-modules 214 | hostPath: 215 | path: /lib/modules 216 | - name: usr-fs 217 | hostPath: 218 | path: /usr 219 | - name: etc-fs 220 | hostPath: 221 | path: /etc 222 | - name: dev-fs 223 | hostPath: 224 | path: /dev 225 | - name: sys-module-fs 226 | hostPath: 227 | path: /sys/module 228 | - name: sys-fs 229 | hostPath: 230 | path: /sys/kernel 231 | - name: proc-fs 232 | hostPath: 233 | path: /proc 234 | - name: falcoctl-config-volume 235 | configMap: 236 | name: falco-falcoctl 237 | items: 238 | - key: falcoctl.yaml 239 | path: falcoctl.yaml 240 | - name: falco-yaml 241 | configMap: 242 | name: falco 243 | items: 244 | - key: falco.yaml 245 | path: falco.yaml 246 | 247 | updateStrategy: 248 | type: RollingUpdate 249 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: falcosidekick 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falcosidekick-0.11.1 8 | app.kubernetes.io/name: falcosidekick 9 | app.kubernetes.io/instance: falcosidekick 10 | app.kubernetes.io/version: "2.31.1" 11 | app.kubernetes.io/part-of: falcosidekick 12 | app.kubernetes.io/managed-by: Helm 13 | app.kubernetes.io/component: core 14 | annotations: 15 | type: Opaque 16 | data: 17 | # Slack Output 18 | SLACK_WEBHOOKURL: "" 19 | SLACK_CHANNEL: "" 20 | SLACK_OUTPUTFORMAT: "YWxs" 21 | SLACK_FOOTER: "" 22 | SLACK_ICON: "" 23 | SLACK_USERNAME: "" 24 | SLACK_MINIMUMPRIORITY: "" 25 | SLACK_MESSAGEFORMAT: "" 26 | 27 | # RocketChat Output 28 | ROCKETCHAT_WEBHOOKURL: "" 29 | ROCKETCHAT_OUTPUTFORMAT: "YWxs" 30 | ROCKETCHAT_ICON: "" 31 | ROCKETCHAT_USERNAME: "" 32 | ROCKETCHAT_MINIMUMPRIORITY: "" 33 | ROCKETCHAT_MESSAGEFORMAT: "" 34 | ROCKETCHAT_MUTUALTLS: "ZmFsc2U=" 35 | ROCKETCHAT_CHECKCERT: "dHJ1ZQ==" 36 | 37 | # Mattermost Output 38 | MATTERMOST_WEBHOOKURL: "" 39 | MATTERMOST_OUTPUTFORMAT: "YWxs" 40 | MATTERMOST_FOOTER: "" 41 | MATTERMOST_ICON: "" 42 | MATTERMOST_USERNAME: "" 43 | MATTERMOST_MINIMUMPRIORITY: "" 44 | MATTERMOST_MESSAGEFORMAT: "" 45 | MATTERMOST_MUTUALTLS: "ZmFsc2U=" 46 | MATTERMOST_CHECKCERT: "dHJ1ZQ==" 47 | 48 | # Teams Output 49 | TEAMS_WEBHOOKURL: "" 50 | TEAMS_OUTPUTFORMAT: "YWxs" 51 | TEAMS_ACTIVITYIMAGE: "" 52 | TEAMS_MINIMUMPRIORITY: "" 53 | 54 | # Datadog (Events) Output 55 | DATADOG_APIKEY: "" 56 | DATADOG_HOST: "" 57 | DATADOG_MINIMUMPRIORITY: "" 58 | 59 | # Datadog Logs Output 60 | DATADOGLOGS_APIKEY: "" 61 | DATADOGLOGS_HOST: "" 62 | DATADOGLOGS_SERVICE: "" 63 | DATADOGLOGS_MINIMUMPRIORITY: "" 64 | 65 | # AlertManager Output 66 | ALERTMANAGER_HOSTPORT: "" 67 | ALERTMANAGER_ENDPOINT: "L2FwaS92MS9hbGVydHM=" 68 | ALERTMANAGER_EXPIRESAFTER: "" 69 | ALERTMANAGER_DROPEVENTDEFAULTPRIORITY: "Y3JpdGljYWw=" 70 | ALERTMANAGER_DROPEVENTTHRESHOLDS: "MTAwMDA6Y3JpdGljYWwsIDEwMDA6Y3JpdGljYWwsIDEwMDpjcml0aWNhbCwgMTA6d2FybmluZywgMTp3YXJuaW5n" 71 | ALERTMANAGER_MINIMUMPRIORITY: "" 72 | ALERTMANAGER_MUTUALTLS: "ZmFsc2U=" 73 | ALERTMANAGER_CHECKCERT: "dHJ1ZQ==" 74 | 75 | # InfluxDB Output 76 | INFLUXDB_USER: "" 77 | INFLUXDB_PASSWORD: "" 78 | INFLUXDB_TOKEN: "" 79 | INFLUXDB_HOSTPORT: "" 80 | INFLUXDB_ORGANIZATION: "" 81 | INFLUXDB_PRECISION: "bnM=" 82 | INFLUXDB_MINIMUMPRIORITY: "" 83 | INFLUXDB_DATABASE: "ZmFsY28=" 84 | INFLUXDB_MUTUALTLS: "ZmFsc2U=" 85 | INFLUXDB_CHECKCERT: "dHJ1ZQ==" 86 | 87 | # AWS Output 88 | AWS_ACCESSKEYID: "" 89 | AWS_SECRETACCESSKEY: "" 90 | AWS_REGION: "" 91 | AWS_CHECKIDENTITY: "dHJ1ZQ==" 92 | AWS_LAMBDA_FUNCTIONNAME: "" 93 | AWS_LAMBDA_MINIMUMPRIORITY: "" 94 | AWS_CLOUDWATCHLOGS_LOGGROUP: "" 95 | AWS_CLOUDWATCHLOGS_LOGSTREAM: "" 96 | AWS_CLOUDWATCHLOGS_MINIMUMPRIORITY: "" 97 | AWS_SNS_TOPICARN: "" 98 | AWS_SNS_RAWJSON: "ZmFsc2U=" 99 | AWS_SNS_MINIMUMPRIORITY: "" 100 | AWS_SQS_URL: "" 101 | AWS_SQS_MINIMUMPRIORITY: "" 102 | AWS_S3_BUCKET: "" 103 | AWS_S3_PREFIX: "" 104 | AWS_S3_ENDPOINT: "" 105 | AWS_S3_OBJECTCANNEDACL: "YnVja2V0LW93bmVyLWZ1bGwtY29udHJvbA==" 106 | AWS_S3_MINIMUMPRIORITY: "" 107 | AWS_KINESIS_STREAMNAME: "" 108 | AWS_KINESIS_MINIMUMPRIORITY: "" 109 | AWS_SECURITYLAKE_BUCKET: "" 110 | AWS_SECURITYLAKE_REGION: "" 111 | AWS_SECURITYLAKE_PREFIX: "" 112 | AWS_SECURITYLAKE_ACCOUNTID: "" 113 | AWS_SECURITYLAKE_INTERVAL: "NQ==" 114 | AWS_SECURITYLAKE_BATCHSIZE: "MTAwMA==" 115 | AWS_SECURITYLAKE_MINIMUMPRIORITY: "" 116 | 117 | # SMTP Output 118 | SMTP_USER: "" 119 | SMTP_PASSWORD: "" 120 | SMTP_AUTHMECHANISM: "cGxhaW4=" 121 | SMTP_TLS: "dHJ1ZQ==" 122 | SMTP_HOSTPORT: "" 123 | SMTP_FROM: "" 124 | SMTP_TO: "" 125 | SMTP_TOKEN: "" 126 | SMTP_IDENTITY: "" 127 | SMTP_TRACE: "" 128 | SMTP_OUTPUTFORMAT: "aHRtbA==" 129 | SMTP_MINIMUMPRIORITY: "" 130 | 131 | # OpsGenie Output 132 | OPSGENIE_APIKEY: "" 133 | OPSGENIE_REGION: "" 134 | OPSGENIE_MINIMUMPRIORITY: "" 135 | OPSGENIE_MUTUALTLS: "ZmFsc2U=" 136 | OPSGENIE_CHECKCERT: "dHJ1ZQ==" 137 | 138 | # Discord Output 139 | DISCORD_WEBHOOKURL: "" 140 | DISCORD_ICON: "" 141 | DISCORD_MINIMUMPRIORITY: "" 142 | 143 | # GCP Output 144 | GCP_CREDENTIALS: "" 145 | GCP_PUBSUB_PROJECTID: "" 146 | GCP_PUBSUB_TOPIC: "" 147 | GCP_PUBSUB_CUSTOMATTRIBUTES: "" 148 | GCP_PUBSUB_MINIMUMPRIORITY: "" 149 | GCP_STORAGE_BUCKET: "" 150 | GCP_STORAGE_PREFIX: "" 151 | GCP_STORAGE_MINIMUMPRIORITY: "ZGVidWc=" 152 | GCP_CLOUDFUNCTIONS_NAME: "" 153 | GCP_CLOUDFUNCTIONS_MINIMUMPRIORITY: "" 154 | GCP_CLOUDRUN_ENDPOINT: "" 155 | GCP_CLOUDRUN_JWT: "" 156 | GCP_CLOUDRUN_MINIMUMPRIORITY: "" 157 | 158 | # GoogleChat Output 159 | GOOGLECHAT_WEBHOOKURL: "" 160 | GOOGLECHAT_OUTPUTFORMAT: "YWxs" 161 | GOOGLECHAT_MINIMUMPRIORITY: "" 162 | GOOGLECHAT_MESSAGEFORMAT: "" 163 | 164 | # ElasticSearch Output 165 | ELASTICSEARCH_HOSTPORT: "" 166 | ELASTICSEARCH_INDEX: "ZmFsY28=" 167 | ELASTICSEARCH_TYPE: "X2RvYw==" 168 | ELASTICSEARCH_PIPELINE: "" 169 | ELASTICSEARCH_SUFFIX: "ZGFpbHk=" 170 | ELASTICSEARCH_APIKEY: "" 171 | ELASTICSEARCH_USERNAME: "" 172 | ELASTICSEARCH_PASSWORD: "" 173 | ELASTICSEARCH_FLATTENFIELDS: "ZmFsc2U=" 174 | ELASTICSEARCH_CREATEINDEXTEMPLATE: "ZmFsc2U=" 175 | ELASTICSEARCH_ENABLECOMPRESSION: "ZmFsc2U=" 176 | ELASTICSEARCH_MAXCONCURRENTREQUESTS: "MQ==" 177 | ELASTICSEARCH_BATCHING_ENABLED: "dHJ1ZQ==" 178 | ELASTICSEARCH_BATCHING_BATCHSIZE: "NTI0Mjg4MA==" 179 | ELASTICSEARCH_BATCHING_FLUSHINTERVAL: "MXM=" 180 | ELASTICSEARCH_NUMBEROFSHARDS: "Mw==" 181 | ELASTICSEARCH_NUMBEROFREPLICAS: "Mw==" 182 | ELASTICSEARCH_CUSTOMHEADERS: "" 183 | ELASTICSEARCH_MUTUALTLS: "ZmFsc2U=" 184 | ELASTICSEARCH_CHECKCERT: "dHJ1ZQ==" 185 | ELASTICSEARCH_MINIMUMPRIORITY: "" 186 | 187 | # Loki Output 188 | LOKI_HOSTPORT: "" 189 | LOKI_ENDPOINT: "L2xva2kvYXBpL3YxL3B1c2g=" 190 | LOKI_USER: "" 191 | LOKI_APIKEY: "" 192 | LOKI_TENANT: "" 193 | LOKI_FORMAT: "dGV4dA==" 194 | LOKI_EXTRALABELS: "" 195 | LOKI_CUSTOMHEADERS: "" 196 | LOKI_MINIMUMPRIORITY: "" 197 | LOKI_MUTUALTLS: "ZmFsc2U=" 198 | LOKI_CHECKCERT: "dHJ1ZQ==" 199 | 200 | # Prometheus Output 201 | PROMETHEUS_EXTRALABELS: "" 202 | 203 | # Nats Output 204 | NATS_HOSTPORT: "" 205 | NATS_SUBJECTTEMPLATE: "ZmFsY28uPHByaW9yaXR5Pi48cnVsZT4=" 206 | NATS_MINIMUMPRIORITY: "" 207 | NATS_MUTUALTLS: "ZmFsc2U=" 208 | NATS_CHECKCERT: "dHJ1ZQ==" 209 | 210 | # Stan Output 211 | STAN_HOSTPORT: "" 212 | STAN_CLUSTERID: "" 213 | STAN_CLIENTID: "" 214 | STAN_SUBJECTTEMPLATE: "ZmFsY28uPHByaW9yaXR5Pi48cnVsZT4=" 215 | STAN_MINIMUMPRIORITY: "" 216 | STAN_MUTUALTLS: "ZmFsc2U=" 217 | STAN_CHECKCERT: "dHJ1ZQ==" 218 | 219 | # Statsd Output 220 | STATSD_FORWARDER: "" 221 | STATSD_NAMESPACE: "ZmFsY29zaWRla2ljay4=" 222 | 223 | # Dogstatsd Output 224 | DOGSTATSD_FORWARDER: "" 225 | DOGSTATSD_NAMESPACE: "ZmFsY29zaWRla2ljay4=" 226 | DOGSTATSD_TAGS: "" 227 | 228 | # WebHook Output 229 | WEBHOOK_ADDRESS: "" 230 | WEBHOOK_METHOD: "UE9TVA==" 231 | WEBHOOK_CUSTOMHEADERS: "" 232 | WEBHOOK_MINIMUMPRIORITY: "" 233 | WEBHOOK_MUTUALTLS: "ZmFsc2U=" 234 | WEBHOOK_CHECKCERT: "dHJ1ZQ==" 235 | 236 | # Azure Output 237 | AZURE_EVENTHUB_NAME: "" 238 | AZURE_EVENTHUB_NAMESPACE: "" 239 | AZURE_EVENTHUB_MINIMUMPRIORITY: "" 240 | 241 | # Kafka Output 242 | KAFKA_HOSTPORT: "" 243 | KAFKA_TOPIC: "" 244 | KAFKA_SASL: "" 245 | KAFKA_TLS: "ZmFsc2U=" 246 | KAFKA_USERNAME: "" 247 | KAFKA_PASSWORD: "" 248 | KAFKA_ASYNC: "ZmFsc2U=" 249 | KAFKA_REQUIREDACKS: "Tk9ORQ==" 250 | KAFKA_COMPRESSION: "Tk9ORQ==" 251 | KAFKA_BALANCER: "cm91bmRfcm9iaW4=" 252 | KAFKA_TOPICCREATION: "ZmFsc2U=" 253 | KAFKA_CLIENTID: "" 254 | KAFKA_MINIMUMPRIORITY: "" 255 | 256 | # PagerDuty Output 257 | PAGERDUTY_ROUTINGKEY: "" 258 | PAGERDUTY_REGION: "dXM=" 259 | PAGERDUTY_MINIMUMPRIORITY: "" 260 | 261 | # Kubeless Output 262 | KUBELESS_FUNCTION: "" 263 | KUBELESS_NAMESPACE: "" 264 | KUBELESS_PORT: "ODA4MA==" 265 | KUBELESS_MINIMUMPRIORITY: "" 266 | KUBELESS_MUTUALTLS: "ZmFsc2U=" 267 | KUBELESS_CHECKCERT: "dHJ1ZQ==" 268 | 269 | # OpenFaaS Output 270 | OPENFAAS_GATEWAYNAMESPACE: "b3BlbmZhYXM=" 271 | OPENFAAS_GATEWAYSERVICE: "Z2F0ZXdheQ==" 272 | OPENFAAS_FUNCTIONNAME: "" 273 | OPENFAAS_FUNCTIONNAMESPACE: "b3BlbmZhYXMtZm4=" 274 | OPENFAAS_GATEWAYPORT: "ODA4MA==" 275 | OPENFAAS_MINIMUMPRIORITY: "" 276 | OPENFAAS_MUTUALTLS: "ZmFsc2U=" 277 | OPENFAAS_CHECKCERT: "dHJ1ZQ==" 278 | 279 | # Cloud Events Output 280 | CLOUDEVENTS_ADDRESS: "" 281 | CLOUDEVENTS_EXTENSION: "" 282 | CLOUDEVENTS_MINIMUMPRIORITY: "" 283 | 284 | # RabbitMQ Output 285 | RABBITMQ_URL: "" 286 | RABBITMQ_QUEUE: "" 287 | RABBITMQ_MINIMUMPRIORITY: "ZGVidWc=" 288 | 289 | # Wavefront Output 290 | WAVEFRONT_ENDPOINTTYPE: "" 291 | WAVEFRONT_ENDPOINTHOST: "" 292 | WAVEFRONT_ENDPOINTTOKEN: "" 293 | WAVEFRONT_ENDPOINTMETRICPORT: "Mjg3OA==" 294 | WAVEFRONT_FLUSHINTERVALSECONDS: "MQ==" 295 | WAVEFRONT_BATCHSIZE: "MTAwMDA=" 296 | WAVEFRONT_METRICNAME: "ZmFsY28uYWxlcnQ=" 297 | WAVEFRONT_MINIMUMPRIORITY: "ZGVidWc=" 298 | 299 | # Grafana Output 300 | GRAFANA_HOSTPORT: "" 301 | GRAFANA_APIKEY: "" 302 | GRAFANA_DASHBOARDID: "" 303 | GRAFANA_PANELID: "" 304 | GRAFANA_ALLFIELDSASTAGS: "ZmFsc2U=" 305 | GRAFANA_CUSTOMHEADERS: "" 306 | GRAFANA_MUTUALTLS: "ZmFsc2U=" 307 | GRAFANA_CHECKCERT: "dHJ1ZQ==" 308 | GRAFANA_MINIMUMPRIORITY: "" 309 | 310 | # Grafana On Call Output 311 | GRAFANAONCALL_WEBHOOKURL: "" 312 | GRAFANAONCALL_CUSTOMHEADERS: "" 313 | GRAFANAONCALL_CHECKCERT: "dHJ1ZQ==" 314 | GRAFANAONCALL_MUTUALTLS: "ZmFsc2U=" 315 | GRAFANAONCALL_MINIMUMPRIORITY: "" 316 | 317 | # Fission Output 318 | FISSION_FUNCTION: "" 319 | FISSION_ROUTERNAMESPACE: "Zmlzc2lvbg==" 320 | FISSION_ROUTERSERVICE: "cm91dGVy" 321 | FISSION_ROUTERPORT: "ODA=" 322 | FISSION_MINIMUMPRIORITY: "" 323 | FISSION_MUTUALTLS: "ZmFsc2U=" 324 | FISSION_CHECKCERT: "dHJ1ZQ==" 325 | 326 | # Yandex Output 327 | YANDEX_ACCESSKEYID: "" 328 | YANDEX_SECRETACCESSKEY: "" 329 | YANDEX_REGION: "" 330 | YANDEX_S3_ENDPOINT: "" 331 | YANDEX_S3_BUCKET: "" 332 | YANDEX_S3_PREFIX: "" 333 | YANDEX_S3_MINIMUMPRIORITY: "" 334 | YANDEX_DATASTREAMS_ENDPOINT: "" 335 | YANDEX_DATASTREAMS_STREAMNAME: "" 336 | YANDEX_DATASTREAMS_MINIMUMPRIORITY: "" 337 | 338 | # KafkaRest Output 339 | KAFKAREST_ADDRESS: "" 340 | KAFKAREST_VERSION: "Mg==" 341 | KAFKAREST_MINIMUMPRIORITY: "" 342 | KAFKAREST_MUTUALTLS: "ZmFsc2U=" 343 | KAFKAREST_CHECKCERT: "dHJ1ZQ==" 344 | 345 | # Syslog Output 346 | SYSLOG_HOST: "" 347 | SYSLOG_PORT: "" 348 | SYSLOG_PROTOCOL: "dGNw" 349 | SYSLOG_FORMAT: "anNvbg==" 350 | SYSLOG_MINIMUMPRIORITY: "" 351 | 352 | # Zoho Cliq Output 353 | CLIQ_WEBHOOKURL: "" 354 | CLIQ_ICON: "" 355 | CLIQ_USEEMOJI: "dHJ1ZQ==" 356 | CLIQ_OUTPUTFORMAT: "YWxs" 357 | CLIQ_MESSAGEFORMAT: "" 358 | CLIQ_MINIMUMPRIORITY: "" 359 | 360 | # Policy Reporter Output 361 | POLICYREPORT_ENABLED: "ZmFsc2U=" 362 | POLICYREPORT_KUBECONFIG: "fi8ua3ViZS9jb25maWc=" 363 | POLICYREPORT_MAXEVENTS: "MTAwMA==" 364 | POLICYREPORT_PRUNEBYPRIORITY: "ZmFsc2U=" 365 | POLICYREPORT_MINIMUMPRIORITY: "" 366 | 367 | # Node Red Output 368 | NODERED_ADDRESS: "" 369 | NODERED_USER: "" 370 | NODERED_PASSWORD: "" 371 | NODERED_CUSTOMHEADERS: "" 372 | NODERED_CHECKCERT: "dHJ1ZQ==" 373 | NODERED_MINIMUMPRIORITY: "" 374 | 375 | # MQTT Output 376 | MQTT_BROKER: "" 377 | MQTT_TOPIC: "ZmFsY28vZXZlbnRz" 378 | MQTT_QOS: "MA==" 379 | MQTT_RETAINED: "ZmFsc2U=" 380 | MQTT_USER: "" 381 | MQTT_PASSWORD: "" 382 | MQTT_CHECKCERT: "dHJ1ZQ==" 383 | MQTT_MINIMUMPRIORITY: "" 384 | 385 | # Zincsearch Output 386 | ZINCSEARCH_HOSTPORT: "" 387 | ZINCSEARCH_INDEX: "ZmFsY28=" 388 | ZINCSEARCH_USERNAME: "" 389 | ZINCSEARCH_PASSWORD: "" 390 | ZINCSEARCH_CHECKCERT: "dHJ1ZQ==" 391 | ZINCSEARCH_MINIMUMPRIORITY: "" 392 | 393 | # Gotify Output 394 | GOTIFY_HOSTPORT: "" 395 | GOTIFY_TOKEN: "" 396 | GOTIFY_FORMAT: "bWFya2Rvd24=" 397 | GOTIFY_CHECKCERT: "dHJ1ZQ==" 398 | GOTIFY_MINIMUMPRIORITY: "" 399 | 400 | # Tekton Output 401 | TEKTON_EVENTLISTENER: "" 402 | TEKTON_CHECKCERT: "dHJ1ZQ==" 403 | TEKTON_MINIMUMPRIORITY: "" 404 | 405 | # Spyderbat Output 406 | SPYDERBAT_ORGUID: "" 407 | SPYDERBAT_APIKEY: "" 408 | SPYDERBAT_APIURL: "aHR0cHM6Ly9hcGkuc3B5ZGVyYmF0LmNvbQ==" 409 | SPYDERBAT_SOURCE: "ZmFsY29zaWRla2ljaw==" 410 | SPYDERBAT_SOURCEDESCRIPTION: "" 411 | SPYDERBAT_MINIMUMPRIORITY: "" 412 | 413 | # TimescaleDB Output 414 | TIMESCALEDB_HOST: "" 415 | TIMESCALEDB_PORT: "NTQzMg==" 416 | TIMESCALEDB_USER: "cG9zdGdyZXM=" 417 | TIMESCALEDB_PASSWORD: "cG9zdGdyZXM=" 418 | TIMESCALEDB_DATABASE: "" 419 | TIMESCALEDB_HYPERTABLENAME: "ZmFsY29fZXZlbnRz" 420 | TIMESCALEDB_MINIMUMPRIORITY: "" 421 | 422 | # Redis Output 423 | REDIS_ADDRESS: "" 424 | REDIS_PASSWORD: "" 425 | REDIS_DATABASE: "MA==" 426 | REDIS_KEY: "ZmFsY28=" 427 | REDIS_STORAGETYPE: "bGlzdA==" 428 | REDIS_MINIMUMPRIORITY: "" 429 | 430 | # TELEGRAM Output 431 | TELEGRAM_TOKEN: "" 432 | TELEGRAM_CHATID: "" 433 | TELEGRAM_MESSAGE_THREAD_ID: "" 434 | TELEGRAM_MINIMUMPRIORITY: "" 435 | TELEGRAM_CHECKCERT: "dHJ1ZQ==" 436 | 437 | # N8N Output 438 | N8N_ADDRESS: "" 439 | N8N_USER: "" 440 | N8N_PASSWORD: "" 441 | N8N_MINIMUMPRIORITY: "" 442 | N8N_CHECKCERT: "dHJ1ZQ==" 443 | 444 | # Open Observe Output 445 | OPENOBSERVE_HOSTPORT: "" 446 | OPENOBSERVE_USERNAME: "" 447 | OPENOBSERVE_PASSWORD: "" 448 | OPENOBSERVE_CHECKCERT: "dHJ1ZQ==" 449 | OPENOBSERVE_MUTUALTLS: "ZmFsc2U=" 450 | OPENOBSERVE_CUSTOMHEADERS: "" 451 | OPENOBSERVE_ORGANIZATIONNAME: "ZGVmYXVsdA==" 452 | OPENOBSERVE_STREAMNAME: "ZmFsY28=" 453 | OPENOBSERVE_MINIMUMPRIORITY: "" 454 | 455 | # Dynatrace Output 456 | DYNATRACE_APITOKEN: "" 457 | DYNATRACE_APIURL: "" 458 | DYNATRACE_CHECKCERT: "dHJ1ZQ==" 459 | DYNATRACE_MINIMUMPRIORITY: "" 460 | 461 | # OTLP Traces Output 462 | OTLP_TRACES_ENDPOINT: "" 463 | OTLP_TRACES_PROTOCOL: "" 464 | OTLP_TRACES_TIMEOUT: "MTAwMA==" 465 | OTLP_TRACES_HEADERS: "" 466 | OTLP_TRACES_SYNCED: "ZmFsc2U=" 467 | OTLP_TRACES_DURATION: "MTAwMA==" 468 | OTLP_TRACES_CHECKCERT: "dHJ1ZQ==" 469 | OTLP_TRACES_MINIMUMPRIORITY: "" 470 | # OTLP Metrics Output 471 | OTLP_METRICS_ENDPOINT: "" 472 | OTLP_METRICS_PROTOCOL: "Z3JwYw==" 473 | OTLP_METRICS_TIMEOUT: "MTAwMA==" 474 | OTLP_METRICS_HEADERS: "" 475 | OTLP_METRICS_EXTRAATTRIBUTES: "" 476 | OTLP_METRICS_CHECKCERT: "dHJ1ZQ==" 477 | OTLP_METRICS_MINIMUMPRIORITY: "" 478 | 479 | # Sumologic Output 480 | SUMOLOGIC_RECEIVERURL: "" 481 | SUMOLOGIC_SOURCECATEGORY: "" 482 | SUMOLOGIC_SOURCEHOST: "" 483 | SUMOLOGIC_NAME: "" 484 | SUMOLOGIC_CHECKCERT: "dHJ1ZQ==" 485 | SUMOLOGIC_MINIMUMPRIORITY: "" 486 | 487 | # Quickwit Output 488 | QUICKWIT_HOSTPORT: "" 489 | QUICKWIT_APIENDPOINT: "L2FwaS92MQ==" 490 | QUICKWIT_INDEX: "ZmFsY28=" 491 | QUICKWIT_AUTOCREATEINDEX: "ZmFsc2U=" 492 | QUICKWIT_CUSTOMHEADERS: "" 493 | QUICKWIT_VERSION: "MC43" 494 | QUICKWIT_CHECKCERT: "dHJ1ZQ==" 495 | QUICKWIT_MUTUALTLS: "ZmFsc2U=" 496 | QUICKWIT_MINIMUMPRIORITY: "" 497 | 498 | # Webex Output 499 | WEBEX_WEBHOOKURL: "" 500 | WEBEX_MINIMUMPRIORITY: "" 501 | 502 | # Talon Output 503 | TALON_ADDRESS: "" 504 | TALON_CHECKCERT: "dHJ1ZQ==" 505 | TALON_MINIMUMPRIORITY: "" 506 | 507 | # WebUI Output 508 | 509 | # Splunk Output 510 | SPLUNK_HOST: "" 511 | SPLUNK_TOKEN: "" 512 | SPLUNK_CUSTOMHEADERS: "" 513 | SPLUNK_CHECKCERT: "dHJ1ZQ==" 514 | SPLUNK_MINIMUMPRIORITY: "" 515 | --- 516 | -------------------------------------------------------------------------------- /kubernetes/falcosidekick/templates/falcosidekick-loki-dashboard-grafana.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: falcosidekick-loki-dashboard-grafana 5 | namespace: default 6 | labels: 7 | helm.sh/chart: falcosidekick-0.10.2 8 | app.kubernetes.io/name: falcosidekick 9 | app.kubernetes.io/instance: falcosidekick 10 | app.kubernetes.io/version: "2.31.1" 11 | app.kubernetes.io/part-of: falcosidekick 12 | app.kubernetes.io/managed-by: Helm 13 | grafana_dashboard: "1" 14 | data: 15 | falcosidekick-loki-dashboard.json: |- 16 | { 17 | "annotations": { 18 | "list": [ 19 | { 20 | "builtIn": 1, 21 | "datasource": { 22 | "type": "grafana", 23 | "uid": "-- Grafana --" 24 | }, 25 | "enable": true, 26 | "hide": true, 27 | "iconColor": "rgba(0, 211, 255, 1)", 28 | "name": "Annotations & Alerts", 29 | "type": "dashboard" 30 | } 31 | ] 32 | }, 33 | "editable": true, 34 | "fiscalYearStartMonth": 0, 35 | "graphTooltip": 0, 36 | "id": 5, 37 | "links": [], 38 | "panels": [ 39 | { 40 | "datasource": { 41 | "default": false, 42 | "type": "loki", 43 | "uid": "${datasource}" 44 | }, 45 | "fieldConfig": { 46 | "defaults": { 47 | "color": { 48 | "mode": "palette-classic" 49 | }, 50 | "custom": { 51 | "hideFrom": { 52 | "legend": false, 53 | "tooltip": false, 54 | "viz": false 55 | } 56 | }, 57 | "mappings": [] 58 | }, 59 | "overrides": [] 60 | }, 61 | "gridPos": { 62 | "h": 8, 63 | "w": 12, 64 | "x": 0, 65 | "y": 0 66 | }, 67 | "id": 1, 68 | "options": { 69 | "legend": { 70 | "displayMode": "list", 71 | "placement": "bottom", 72 | "showLegend": true 73 | }, 74 | "pieType": "pie", 75 | "reduceOptions": { 76 | "calcs": [ 77 | "sum" 78 | ], 79 | "fields": "", 80 | "values": false 81 | }, 82 | "tooltip": { 83 | "mode": "single", 84 | "sort": "none" 85 | } 86 | }, 87 | "pluginVersion": "11.2.0", 88 | "targets": [ 89 | { 90 | "datasource": { 91 | "type": "loki", 92 | "uid": "${datasource}" 93 | }, 94 | "editorMode": "builder", 95 | "expr": "count by(priority) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` | priority =~ `$priority` [$__auto]))", 96 | "legendFormat": "{{priority}}", 97 | "queryType": "range", 98 | "refId": "A" 99 | } 100 | ], 101 | "title": "Priority counts", 102 | "type": "piechart" 103 | }, 104 | { 105 | "datasource": { 106 | "default": false, 107 | "type": "loki", 108 | "uid": "${datasource}" 109 | }, 110 | "fieldConfig": { 111 | "defaults": { 112 | "color": { 113 | "mode": "palette-classic" 114 | }, 115 | "custom": { 116 | "hideFrom": { 117 | "legend": false, 118 | "tooltip": false, 119 | "viz": false 120 | } 121 | }, 122 | "mappings": [] 123 | }, 124 | "overrides": [] 125 | }, 126 | "gridPos": { 127 | "h": 8, 128 | "w": 12, 129 | "x": 12, 130 | "y": 0 131 | }, 132 | "id": 2, 133 | "options": { 134 | "displayLabels": [ 135 | "value", 136 | "percent" 137 | ], 138 | "legend": { 139 | "calcs": [], 140 | "displayMode": "list", 141 | "placement": "bottom", 142 | "showLegend": true, 143 | "values": [] 144 | }, 145 | "pieType": "pie", 146 | "reduceOptions": { 147 | "calcs": [ 148 | "sum" 149 | ], 150 | "fields": "", 151 | "values": false 152 | }, 153 | "tooltip": { 154 | "mode": "single", 155 | "sort": "none" 156 | } 157 | }, 158 | "pluginVersion": "11.2.0", 159 | "targets": [ 160 | { 161 | "datasource": { 162 | "type": "loki", 163 | "uid": "${datasource}" 164 | }, 165 | "editorMode": "builder", 166 | "expr": "count by(rule) (rate({priority=~\".+\", rule!=\"Falco internal: metrics snapshot\"} | logfmt | k8s_ns =~ `$namespace` | priority =~ `$priority` [$__auto]))", 167 | "legendFormat": "{{priority}}", 168 | "queryType": "range", 169 | "refId": "A" 170 | } 171 | ], 172 | "title": "Rules counts", 173 | "type": "piechart" 174 | }, 175 | { 176 | "datasource": { 177 | "default": false, 178 | "type": "loki", 179 | "uid": "${datasource}" 180 | }, 181 | "fieldConfig": { 182 | "defaults": { 183 | "color": { 184 | "mode": "thresholds" 185 | }, 186 | "custom": { 187 | "align": "left", 188 | "cellOptions": { 189 | "type": "auto", 190 | "wrapText": false 191 | }, 192 | "filterable": true, 193 | "inspect": false 194 | }, 195 | "mappings": [], 196 | "thresholds": { 197 | "mode": "absolute", 198 | "steps": [ 199 | { 200 | "color": "green", 201 | "value": null 202 | }, 203 | { 204 | "color": "red", 205 | "value": 80 206 | } 207 | ] 208 | } 209 | }, 210 | "overrides": [ 211 | { 212 | "matcher": { 213 | "id": "byName", 214 | "options": "Value #A" 215 | }, 216 | "properties": [ 217 | { 218 | "id": "displayName", 219 | "value": "Number of Messages" 220 | } 221 | ] 222 | }, 223 | { 224 | "matcher": { 225 | "id": "byName", 226 | "options": "Time" 227 | }, 228 | "properties": [ 229 | { 230 | "id": "custom.hidden", 231 | "value": true 232 | } 233 | ] 234 | }, 235 | { 236 | "matcher": { 237 | "id": "byName", 238 | "options": "k8s_ns" 239 | }, 240 | "properties": [ 241 | { 242 | "id": "custom.width", 243 | "value": 96 244 | } 245 | ] 246 | }, 247 | { 248 | "matcher": { 249 | "id": "byName", 250 | "options": "priority" 251 | }, 252 | "properties": [ 253 | { 254 | "id": "custom.width", 255 | "value": 91 256 | } 257 | ] 258 | }, 259 | { 260 | "matcher": { 261 | "id": "byName", 262 | "options": "rule" 263 | }, 264 | "properties": [ 265 | { 266 | "id": "custom.width", 267 | "value": 450 268 | } 269 | ] 270 | }, 271 | { 272 | "matcher": { 273 | "id": "byName", 274 | "options": "k8s_pod_name" 275 | }, 276 | "properties": [ 277 | { 278 | "id": "custom.width", 279 | "value": 184 280 | } 281 | ] 282 | } 283 | ] 284 | }, 285 | "gridPos": { 286 | "h": 8, 287 | "w": 24, 288 | "x": 0, 289 | "y": 8 290 | }, 291 | "id": 5, 292 | "options": { 293 | "cellHeight": "sm", 294 | "footer": { 295 | "countRows": false, 296 | "enablePagination": false, 297 | "fields": "", 298 | "reducer": [ 299 | "last" 300 | ], 301 | "show": false 302 | }, 303 | "showHeader": true, 304 | "sortBy": [ 305 | { 306 | "desc": false, 307 | "displayName": "k8s_pod_name" 308 | } 309 | ] 310 | }, 311 | "pluginVersion": "11.2.0", 312 | "targets": [ 313 | { 314 | "datasource": { 315 | "type": "loki", 316 | "uid": "${datasource}" 317 | }, 318 | "editorMode": "builder", 319 | "expr": "count by(k8s_pod_name, rule, priority, k8s_ns) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` | priority =~ `$priority` [$__auto]))", 320 | "legendFormat": "", 321 | "queryType": "instant", 322 | "refId": "A" 323 | } 324 | ], 325 | "transformations": [ 326 | { 327 | "id": "sortBy", 328 | "options": { 329 | "fields": {}, 330 | "sort": [ 331 | { 332 | "desc": true, 333 | "field": "Value #A" 334 | } 335 | ] 336 | } 337 | } 338 | ], 339 | "type": "table" 340 | }, 341 | { 342 | "datasource": { 343 | "default": false, 344 | "type": "loki", 345 | "uid": "${datasource}" 346 | }, 347 | "gridPos": { 348 | "h": 7, 349 | "w": 24, 350 | "x": 0, 351 | "y": 16 352 | }, 353 | "id": 6, 354 | "options": { 355 | "dedupStrategy": "none", 356 | "enableLogDetails": true, 357 | "prettifyLogMessage": false, 358 | "showCommonLabels": false, 359 | "showLabels": false, 360 | "showTime": false, 361 | "sortOrder": "Descending", 362 | "wrapLogMessage": false 363 | }, 364 | "pluginVersion": "11.2.0", 365 | "targets": [ 366 | { 367 | "datasource": { 368 | "type": "loki", 369 | "uid": "${datasource}" 370 | }, 371 | "direction": "backward", 372 | "editorMode": "builder", 373 | "expr": "{priority=~\".+\"} |= `$line_filter` | logfmt | k8s_ns =~ `$namespace` | priority =~ `$priority`", 374 | "queryType": "range", 375 | "refId": "A" 376 | } 377 | ], 378 | "title": "Realtime logs", 379 | "type": "logs" 380 | }, 381 | { 382 | "datasource": { 383 | "default": false, 384 | "type": "loki", 385 | "uid": "${datasource}" 386 | }, 387 | "fieldConfig": { 388 | "defaults": { 389 | "color": { 390 | "mode": "palette-classic" 391 | }, 392 | "custom": { 393 | "axisBorderShow": false, 394 | "axisCenteredZero": false, 395 | "axisColorMode": "text", 396 | "axisLabel": "", 397 | "axisPlacement": "auto", 398 | "barAlignment": 0, 399 | "barWidthFactor": 0.6, 400 | "drawStyle": "line", 401 | "fillOpacity": 100, 402 | "gradientMode": "none", 403 | "hideFrom": { 404 | "legend": false, 405 | "tooltip": false, 406 | "viz": false 407 | }, 408 | "insertNulls": false, 409 | "lineInterpolation": "stepBefore", 410 | "lineStyle": { 411 | "fill": "solid" 412 | }, 413 | "lineWidth": 1, 414 | "pointSize": 4, 415 | "scaleDistribution": { 416 | "type": "linear" 417 | }, 418 | "showPoints": "auto", 419 | "spanNulls": false, 420 | "stacking": { 421 | "group": "A", 422 | "mode": "normal" 423 | }, 424 | "thresholdsStyle": { 425 | "mode": "off" 426 | } 427 | }, 428 | "fieldMinMax": false, 429 | "mappings": [], 430 | "min": 0, 431 | "thresholds": { 432 | "mode": "absolute", 433 | "steps": [ 434 | { 435 | "color": "green" 436 | }, 437 | { 438 | "color": "red", 439 | "value": 80 440 | } 441 | ] 442 | }, 443 | "unit": "none" 444 | }, 445 | "overrides": [] 446 | }, 447 | "gridPos": { 448 | "h": 8, 449 | "w": 12, 450 | "x": 0, 451 | "y": 23 452 | }, 453 | "id": 7, 454 | "options": { 455 | "legend": { 456 | "calcs": [], 457 | "displayMode": "list", 458 | "placement": "bottom", 459 | "showLegend": true 460 | }, 461 | "tooltip": { 462 | "mode": "single", 463 | "sort": "none" 464 | } 465 | }, 466 | "targets": [ 467 | { 468 | "datasource": { 469 | "type": "loki", 470 | "uid": "loki" 471 | }, 472 | "editorMode": "builder", 473 | "expr": "count by(priority) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` | priority =~ `$priority` [1m]))", 474 | "legendFormat": "{{priority}}", 475 | "queryType": "range", 476 | "refId": "A" 477 | } 478 | ], 479 | "title": "Priorities Rates", 480 | "type": "timeseries" 481 | }, 482 | { 483 | "datasource": { 484 | "default": false, 485 | "type": "loki", 486 | "uid": "${datasource}" 487 | }, 488 | "fieldConfig": { 489 | "defaults": { 490 | "color": { 491 | "mode": "palette-classic" 492 | }, 493 | "custom": { 494 | "axisBorderShow": false, 495 | "axisCenteredZero": false, 496 | "axisColorMode": "text", 497 | "axisLabel": "", 498 | "axisPlacement": "auto", 499 | "barAlignment": 0, 500 | "barWidthFactor": 0.6, 501 | "drawStyle": "line", 502 | "fillOpacity": 100, 503 | "gradientMode": "none", 504 | "hideFrom": { 505 | "legend": false, 506 | "tooltip": false, 507 | "viz": false 508 | }, 509 | "insertNulls": false, 510 | "lineInterpolation": "stepBefore", 511 | "lineStyle": { 512 | "fill": "solid" 513 | }, 514 | "lineWidth": 1, 515 | "pointSize": 4, 516 | "scaleDistribution": { 517 | "type": "linear" 518 | }, 519 | "showPoints": "auto", 520 | "spanNulls": false, 521 | "stacking": { 522 | "group": "A", 523 | "mode": "normal" 524 | }, 525 | "thresholdsStyle": { 526 | "mode": "off" 527 | } 528 | }, 529 | "fieldMinMax": false, 530 | "mappings": [], 531 | "min": 0, 532 | "thresholds": { 533 | "mode": "absolute", 534 | "steps": [ 535 | { 536 | "color": "green" 537 | }, 538 | { 539 | "color": "red", 540 | "value": 80 541 | } 542 | ] 543 | }, 544 | "unit": "none" 545 | }, 546 | "overrides": [] 547 | }, 548 | "gridPos": { 549 | "h": 8, 550 | "w": 12, 551 | "x": 12, 552 | "y": 23 553 | }, 554 | "id": 8, 555 | "options": { 556 | "legend": { 557 | "calcs": [], 558 | "displayMode": "list", 559 | "placement": "bottom", 560 | "showLegend": true 561 | }, 562 | "tooltip": { 563 | "mode": "single", 564 | "sort": "none" 565 | } 566 | }, 567 | "targets": [ 568 | { 569 | "datasource": { 570 | "type": "loki", 571 | "uid": "loki" 572 | }, 573 | "editorMode": "builder", 574 | "expr": "count by(rule) (rate({priority=~\".+\"} | logfmt | k8s_ns =~ `$namespace` | priority =~ `$priority` [1m]))", 575 | "legendFormat": "{{priority}}", 576 | "queryType": "range", 577 | "refId": "A" 578 | } 579 | ], 580 | "title": "Rules Rates", 581 | "type": "timeseries" 582 | } 583 | ], 584 | "refresh": "auto", 585 | "schemaVersion": 39, 586 | "tags": [], 587 | "templating": { 588 | "list": [ 589 | { 590 | "allValue": "", 591 | "current": { 592 | "selected": true, 593 | "text": [ 594 | "arr", 595 | "core", 596 | "falco", 597 | "kube-system", 598 | "media", 599 | "monitoring", 600 | "rook", 601 | "rook-cluster", 602 | "storage", 603 | "utilities", 604 | "webs" 605 | ], 606 | "value": [ 607 | "arr", 608 | "core", 609 | "falco", 610 | "kube-system", 611 | "media", 612 | "monitoring", 613 | "rook", 614 | "rook-cluster", 615 | "storage", 616 | "utilities", 617 | "webs" 618 | ] 619 | }, 620 | "datasource": { 621 | "type": "loki", 622 | "uid": "${datasource}" 623 | }, 624 | "definition": "", 625 | "description": "", 626 | "hide": 0, 627 | "includeAll": false, 628 | "label": "namespace", 629 | "multi": true, 630 | "name": "namespace", 631 | "options": [], 632 | "query": { 633 | "label": "namespace", 634 | "refId": "LokiVariableQueryEditor-VariableQuery", 635 | "stream": "", 636 | "type": 1 637 | }, 638 | "refresh": 1, 639 | "regex": "", 640 | "skipUrlSync": false, 641 | "sort": 0, 642 | "type": "query" 643 | }, 644 | { 645 | "current": { 646 | "selected": false, 647 | "text": "Loki", 648 | "value": "loki" 649 | }, 650 | "hide": 0, 651 | "includeAll": false, 652 | "label": "datasource", 653 | "multi": false, 654 | "name": "datasource", 655 | "options": [], 656 | "query": "loki", 657 | "queryValue": "", 658 | "refresh": 1, 659 | "regex": "", 660 | "skipUrlSync": false, 661 | "type": "datasource" 662 | }, 663 | { 664 | "current": { 665 | "selected": true, 666 | "text": [ 667 | "Critical" 668 | ], 669 | "value": [ 670 | "Critical" 671 | ] 672 | }, 673 | "datasource": { 674 | "type": "loki", 675 | "uid": "${datasource}" 676 | }, 677 | "definition": "", 678 | "hide": 0, 679 | "includeAll": true, 680 | "label": "priority", 681 | "multi": true, 682 | "name": "priority", 683 | "options": [], 684 | "query": { 685 | "label": "priority", 686 | "refId": "LokiVariableQueryEditor-VariableQuery", 687 | "stream": "", 688 | "type": 1 689 | }, 690 | "refresh": 1, 691 | "regex": "", 692 | "skipUrlSync": false, 693 | "sort": 0, 694 | "type": "query" 695 | }, 696 | { 697 | "current": { 698 | "selected": false, 699 | "text": "", 700 | "value": "" 701 | }, 702 | "description": "Text to filter lines", 703 | "hide": 0, 704 | "label": "line_filter", 705 | "name": "line_filter", 706 | "options": [ 707 | { 708 | "selected": true, 709 | "text": "", 710 | "value": "" 711 | } 712 | ], 713 | "query": "", 714 | "skipUrlSync": false, 715 | "type": "textbox" 716 | } 717 | ] 718 | }, 719 | "time": { 720 | "from": "now-24h", 721 | "to": "now" 722 | }, 723 | "timepicker": {}, 724 | "timezone": "browser", 725 | "title": "Falco logs", 726 | "uid": "de6ixj4nl1kowc", 727 | "version": 2, 728 | "weekStart": "" 729 | } 730 | --- 731 | --------------------------------------------------------------------------------