[tracking] missing Falco regression tests

[jasondellaluce]

This is a tracker for all the tests related to the Falco CLI executable that are still missing.

Each of the following bullet point is a wonderful opportunity for easy first contributions. This tracker will be kept updated whenever PRs will get opened for any of the bullet points.

Falco command line

Test the behavior and expected output of the Falco CLI depending on its options, considered both individually and in combinations:

• Commands printing information:
  • -h
  • --help
  • --support
  • -i
  • -L
  • -l
  • --list
  • --list-syscall-events
  • --markdown
  • -N
  • --gvisor-generate-config
  • --page-size
• Metadata collection and container runtime:
  • --cri
  • --disable-cri-async
  • -k [DEPRECATED]
  • --k8s-api [DEPRECATED]
  • -K [DEPRECATED]
  • --k8s-api-cert [DEPRECATED]
  • --k8s-node [DEPRECATED]
  • -m [DEPRECATED]
  • --mesos-api [DEPRECATED]
• Falco event collection modes:
  • -g [DEPRECATED]
  • --gvisor-config [DEPRECATED]
  • --gvisor-root [DEPRECATED]
  • --modern-bpf [DEPRECATED]
• Changers of Falco's behavior:
  • --disable-source
  • --enable-source
  • -A
  • -P
  • --pidfile
  • -p
  • --print
  • -b
  • --print-base64
  • -S
  • --snaplen
• Misc Falco features:
  • -s [DEPRECATED]
  • --stats-interval [DEPRECATED]
  • -U
  • --unbuffered

Falco configuration fields

Test the behavior and expected output of Falco depending on the falco.yaml fields:

• watch_config_files
• libs_logger
• buffered_outputs
• syscall_event_timeouts
• syscall_buf_size_preset [DEPRECATED]
• modern_bpf [DEPRECATED]
• output_timeout
• outputs
• syslog_output
• file_output
• stdout_output
• webserver
• program_output
• http_output
• metadata_download

Falco environment variables

Test the Falco behavior on the supported environment variables and their priorities, also in combination with their args/configs/cmds counterparts:

• FALCO_K8S_API [DEPRECATED]
• FALCO_K8S_API_CERT [DEPRECATED]
• FALCO_MESOS_API [DEPRECATED]
• FALCO_HOSTNAME
• FALCO_GRPC_HOSTNAME
• FALCO_BPF_PROBE [DEPRECATED]
• HOME (used for bpf probe)

Other Falco things

Umbrella category for all the rest of things done by Falco not fitting in the above lists. This will likely be moved to another issue because they are more oriented to the integration with other tools (such as the driver loader), but I'm gonna list them here for now:

• Falco reaction to signals SIGINT, SIGUSR1, SIGHUP
• Collection of live events with kmod, bpf, modern-bpf, gvisor, userspace
• Collection of live events with multiple event sources active at the same
• Stress test with event generator, checking memory usage and event drops

[poiana]

There is not a label identifying the kind of this issue.
Please specify it either using /kind <group> or manually from the side menu.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[leogr]

/kind feature
/remove-lifecycle rotten.

[poiana]

@leogr: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to this:

/kind feature
/remove-lifecycle rotten.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

/kind feature

[incertum]

@jasondellaluce we can remove the deprecated config or cmd args options.

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

/reopen

[poiana]

@leogr: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

/remove-lifecycle rotten

[leogr]

/help

[poiana]

@leogr:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

/assign

[leogr]

This list must be reviewed considering the new deprecations:

• [TRACKING] Breaking changes in Falco 0.37.0 falco#2763
• [TRACKING] Breaking changes in Falco 0.38 falco#2840

@Andreagit97 @FedeDP could you help me with that please?

[Andreagit97]

I 've already done it putting [DEPRECATED] near the items, but please double check

[incertum]

Check on some Legacy tests around enabling rules with or without tags and in combination with using the enabled key or not. Some tests seem to assert final rules that are enabled (e.g. TestFalco_Legacy_DisabledTagsB), other test could be missing it? e.g. TestFalco_Legacy_DisabledRulesUsingEnabledFlag or TestFalco_Legacy_DisabledRuleUsingFalseEnabledFlagOnly etc.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[FedeDP]

/remove-lifecycle stale

Marked watch_config_files as done since testing framework now tests it: #54

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale