Merge branch 'master' into evol/svc-annotations

Signed-off-by: afreyermuth98 <56300858+afreyermuth98@users.noreply.github.com>
falcosecurity · Sep 11, 2024 · 77679f1 · 77679f1
2 parents 394ef47 + 98897b0
commit 77679f1
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@
 *.swp
 *.swo
 *~
+.vscode
diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md
@@ -6,6 +6,17 @@ numbering uses [semantic versioning](http://semver.org).
 ## v4.8.2
 
 * feat(falco): add labels and annotations to the metrics service
+* fix(falco): correctly mount host filesystems when driver.kind is auto
+
+  When falco runs with kmod/module driver it needs special filesystems
+  to be mounted from the host such /dev and /sys/module/falco.
+  This commit ensures that we mount them in the falco container.
+
+  Note that, the /sys/module/falco is now mounted as /sys/module since
+  we do not know which kind of driver will be used. The falco folder 
+  exists under /sys/module only when the kernel module is loaded, 
+  hence it's not possible to use the /sys/module/falco hostpath when driver.kind 
+  is set to auto.
 
 ## v4.8.1
 

diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl
@@ -151,12 +151,12 @@ spec:
           name: etc-fs
           readOnly: true
         {{- end -}}
-        {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }}
+        {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) }}
         - mountPath: /host/dev
           name: dev-fs
           readOnly: true
         - name: sys-fs
-          mountPath: /sys/module/falco
+          mountPath: /sys/module
         {{- end }}
         {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }}
         - name: debugfs
@@ -249,13 +249,13 @@ spec:
       hostPath:
         path: /etc
     {{- end }}
-    {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }}
+    {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) }}
     - name: dev-fs
       hostPath:
         path: /dev
     - name: sys-fs
       hostPath:
-        path: /sys/module/falco
+        path: /sys/module
     {{- end }}
     {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }}
     - name: debugfs

diff --git a/charts/falcosidekick/CHANGELOG.md b/charts/falcosidekick/CHANGELOG.md
@@ -5,7 +5,12 @@ numbering uses [semantic versioning](http://semver.org).
 
 Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick).
 
+## 0.8.5
+
+- Fix an issue with the by default missing custom CA cert
+
 ## 0.8.4
+
 - Fix falcosidekick chart ignoring custom service type for webui redis
 
 ## 0.8.3

diff --git a/charts/falcosidekick/Chart.yaml b/charts/falcosidekick/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: 2.29.0
 description: Connect Falco to your ecosystem
 icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png
 name: falcosidekick
-version: 0.8.4
+version: 0.8.5
 keywords:
   - monitoring
   - security

diff --git a/charts/falcosidekick/README.md b/charts/falcosidekick/README.md
@@ -523,7 +523,7 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.timescaledb.password | string | `"postgres"` | Password to authenticate with TimescaleDB |
 | config.timescaledb.port | int | `5432` | TimescaleDB port (default: 5432) |
 | config.timescaledb.user | string | `"postgres"` | Username to authenticate with TimescaleDB |
-| config.tlsclient.cacertfile | string | `"/etc/certs/client/ca.crt"` | CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty |
+| config.tlsclient.cacertfile | string | `""` | CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty |
 | config.tlsserver.cacertfile | string | `"/etc/certs/server/ca.crt"` | CA certification file path for client certification if mutualtls is true |
 | config.tlsserver.cacrt | string | `""` |  |
 | config.tlsserver.certfile | string | `"/etc/certs/server/server.crt"` | server certification file path for TLS Server |

diff --git a/charts/falcosidekick/values.yaml b/charts/falcosidekick/values.yaml
@@ -145,7 +145,7 @@ config:
 
   tlsclient:
     # -- CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty
-    cacertfile: "/etc/certs/client/ca.crt"
+    cacertfile: ""
 
   tlsserver:
     # -- if true TLS server will be deployed instead of HTTP