From ed573c82d7067d1f50234f3402839a31b384847a Mon Sep 17 00:00:00 2001 From: Aldo Lacuku Date: Tue, 13 Feb 2024 09:29:51 +0100 Subject: [PATCH 1/3] update(falco): bump falco to 0.37.1 Signed-off-by: Aldo Lacuku --- charts/falco/CHANGELOG.md | 4 ++++ charts/falco/Chart.yaml | 4 ++-- charts/falco/README.md | 4 ++-- charts/falco/values.yaml | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index 929d0c8a..1a405ec4 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -3,6 +3,10 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.2.0 + +* Bump falco to v0.37.1 and falcoctl to v0.7.2 + ## v4.1.2 * Fix links in output after falco install without sidekick diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index 6a6c82dc..75dd03b9 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: falco -version: 4.1.2 -appVersion: "0.37.0" +version: 4.2.0 +appVersion: "0.37.1" description: Falco keywords: - monitoring diff --git a/charts/falco/README.md b/charts/falco/README.md index 6678cf77..9b40b2f8 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -563,7 +563,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.1.2 and their default values. See `values.yaml` for full list. +The following table lists the main configurable parameters of the falco chart v4.2.0 and their default values. See `values.yaml` for full list. ## Values @@ -701,7 +701,7 @@ The following table lists the main configurable parameters of the falco chart v4 | falcoctl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | | falcoctl.image.registry | string | `"docker.io"` | The image registry to pull from. | | falcoctl.image.repository | string | `"falcosecurity/falcoctl"` | The image repository to pull from. | -| falcoctl.image.tag | string | `"0.7.1"` | The image tag to pull. | +| falcoctl.image.tag | string | `"0.7.2"` | The image tag to pull. | | falcosidekick | object | `{"enabled":false,"fullfqdn":false,"listenPort":""}` | For configuration values, see https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml | | falcosidekick.enabled | bool | `false` | Enable falcosidekick deployment. | | falcosidekick.fullfqdn | bool | `false` | Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). | diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml index 3c056232..e75619cd 100644 --- a/charts/falco/values.yaml +++ b/charts/falco/values.yaml @@ -372,7 +372,7 @@ falcoctl: # -- The image repository to pull from. repository: falcosecurity/falcoctl # -- The image tag to pull. - tag: "0.7.1" + tag: "0.7.2" artifact: # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before # Falco starts. It provides them to Falco by using an emptyDir volume. From 83cf48688dd32ed66b2ac9fb67524a503401145f Mon Sep 17 00:00:00 2001 From: Aldo Lacuku Date: Tue, 13 Feb 2024 12:24:34 +0100 Subject: [PATCH 2/3] update(falco-exporter): update docs Furthermore, it adds the autogeneration of the configuration from the values.yaml file. Signed-off-by: Aldo Lacuku --- .github/workflows/docs.yml | 2 +- Makefile | 2 +- charts/falco-exporter/README.gotmpl | 75 +++++++++++++++++ charts/falco-exporter/README.md | 123 +++++++++++++++++++--------- charts/falco-exporter/values.yaml | 109 +++++++++++++++++------- 5 files changed, 239 insertions(+), 72 deletions(-) create mode 100644 charts/falco-exporter/README.gotmpl diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 9b49daba..7bf0f958 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -13,7 +13,7 @@ jobs: - name: Run Helm Docs and check the outcome run: | - for chart in event-generator falco k8s-metacollector; do + for chart in event-generator falco k8s-metacollector falco-exporter; do docker run \ --rm \ --workdir=/helm-docs \ diff --git a/Makefile b/Makefile index 8fa11916..86f60977 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ lint-%: ct lint --config ./ct.yaml --charts ./charts/$* .PHONY: docs -docs: $(addprefix docs-, $(filter-out falco-exporter,$(CHARTS_NAMES))) +docs: $(addprefix docs-, $(CHARTS_NAMES)) docs-%: @docker run \ diff --git a/charts/falco-exporter/README.gotmpl b/charts/falco-exporter/README.gotmpl new file mode 100644 index 00000000..b9ff96b3 --- /dev/null +++ b/charts/falco-exporter/README.gotmpl @@ -0,0 +1,75 @@ +# falco-exporter Helm Chart + +[falco-exporter](https://github.com/falcosecurity/falco-exporter) is a Prometheus Metrics Exporter for Falco output events. + +Before using this chart, you need [Falco installed](https://falco.org/docs/installation/) and running with the [gRPC Output](https://falco.org/docs/grpc/) enabled (over Unix socket by default). + +This chart is compatible with the [Falco Chart](https://github.com/falcosecurity/charts/tree/master/falco) version `v1.2.0` or greater. Instructions to enable the gRPC Output in the Falco Helm Chart can be found [here](https://github.com/falcosecurity/charts/tree/master/falco#enabling-grpc). We also strongly recommend using [gRPC over Unix socket](https://github.com/falcosecurity/charts/tree/master/falco#grpc-over-unix-socket-default). + +## Introduction + +The chart deploys **falco-exporter** as Daemon Set on your the Kubernetes cluster. If a [Prometheus installation](https://github.com/helm/charts/tree/master/stable/prometheus) is running within your cluster, metrics provided by **falco-exporter** will be automatically discovered. + +## Adding `falcosecurity` repository + +Prior to installing the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +To install the chart with the release name `falco-exporter` run: + +```bash +helm install falco-exporter falcosecurity/falco-exporter +``` + +After a few seconds, **falco-exporter** should be running. + +> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment + +## Uninstalling the Chart + +To uninstall the `falco-exporter` deployment: + +```bash +helm uninstall falco-exporter +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +```bash +helm install falco-exporter --set falco.grpcTimeout=3m falcosecurity/falco-exporter +``` + +Alternatively, a YAML file that specifies the parameters' values can be provided while installing the chart. For example, + +```bash +helm install falco-exporter -f values.yaml falcosecurity/falco-exporter +``` + +### Enable Mutual TLS + +Mutual TLS for `/metrics` endpoint can be enabled to prevent alerts content from being consumed by unauthorized components. + +To install falco-exporter with Mutual TLS enabled, you have to: + +```shell +helm install falco-exporter \ + --set service.mTLS.enabled=true \ + --set-file service.mTLS.server.key=/path/to/server.key \ + --set-file service.mTLS.server.crt=/path/to/server.crt \ + --set-file service.mTLS.ca.crt=/path/to/ca.crt \ + falcosecurity/falco-exporter +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration + +The following table lists the main configurable parameters of the {{ template "chart.name" . }} chart v{{ template "chart.version" . }} and their default values. Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters. + +{{ template "chart.valuesSection" . }} diff --git a/charts/falco-exporter/README.md b/charts/falco-exporter/README.md index a7e00c8c..e1281306 100644 --- a/charts/falco-exporter/README.md +++ b/charts/falco-exporter/README.md @@ -41,45 +41,6 @@ helm uninstall falco-exporter The command removes all the Kubernetes components associated with the chart and deletes the release. -## Configuration - -The following table lists the main configurable parameters of the chart and their default values. - -| Parameter | Description | Default | -| ------------------------------------------------ | ------------------------------------------------------------------------------------------------ | ---------------------------------- | -| `image.registry` | The image registry to pull from | `docker.io` | -| `image.repository` | The image repository to pull from | `falcosecurity/falco-exporter` | -| `image.tag` | The image tag to pull | `0.8.3` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `falco.grpcUnixSocketPath` | Unix socket path for connecting to a Falco gRPC server | `unix:///var/run/falco/falco.sock` | -| `falco.grpcTimeout` | gRPC connection timeout | `2m` | -| `serviceAccount.create` | Specify if a service account should be created | `true` | -| `podSecurityPolicy.create` | Specify if a PSP, Role & RoleBinding should be created | `false` | -| `serviceMonitor.enabled` | Enabled deployment of a Prometheus operator Service Monitor | `false` | -| `serviceMonitor.additionalLabels` | Add additional Labels to the Service Monitor | `{}` | -| `serviceMonitor.interval` | Specify a user defined interval for the Service Monitor | `""` | -| `serviceMonitor.scrapeTimeout` | Specify a user defined scrape timeout for the Service Monitor | `""` | -| `grafanaDashboard.enabled` | Enable the falco security dashboard, see https://github.com/falcosecurity/falco-exporter#grafana | `false` | -| `grafanaDashboard.folder` | The grafana folder to deplay the dashboard in | `""` | -| `grafanaDashboard.namespace` | The namespace to deploy the dashboard configmap in | `default` | -| `grafanaDashboard.prometheusDatasourceName` | The prometheus datasource name to be used for the dashboard | `Prometheus` | -| `scc.create` | Create OpenShift's Security Context Constraint | `true` | -| `service.mTLS.enabled` | Enable falco-exporter server Mutual TLS feature | `false` | -| `prometheusRules.enabled` | Enable the creation of falco-exporter PrometheusRules | `false` | -| `daemonset.podLabels` | Customized Daemonset pod labels | `{}` | -| `healthChecks.livenessProbe.probesPort` | Liveness probes port | `19376` | -| `healthChecks.readinessProbe.probesPort` | Readiness probes port | `19376` | -| `healthChecks.livenessProbe.initialDelaySeconds` | Number of seconds before performing the first liveness probe | `60` | -| `healthChecks.readinessProbe.initialDelaySeconds`| Number of seconds before performing the first readiness probe | `30` | -| `healthChecks.livenessProbe.timeoutSeconds` | Number of seconds after which the liveness probe times out | `5` | -| `healthChecks.readinessProbe.timeoutSeconds` | Number of seconds after which the readiness probe times out | `5` | -| `healthChecks.livenessProbe.periodSeconds` | Time interval in seconds to perform the liveness probe | `15` | -| `healthChecks.readinessProbe.periodSeconds` | Time interval in seconds to perform the readiness probe | `15` | - -Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters. - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - ```bash helm install falco-exporter --set falco.grpcTimeout=3m falcosecurity/falco-exporter ``` @@ -106,3 +67,87 @@ helm install falco-exporter \ ``` > **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration + +The following table lists the main configurable parameters of the falco-exporter chart v0.9.10 and their default values. Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | affinity allows pod placement based on node characteristics, or any other custom labels assigned to nodes. | +| daemonset | object | `{"annotations":{},"podLabels":{},"updateStrategy":{"type":"RollingUpdate"}}` | daemonset holds the configuration for the daemonset. | +| daemonset.annotations | object | `{}` | annotations to add to the DaemonSet pods. | +| daemonset.podLabels | object | `{}` | podLabels labels to add to the pods. | +| falco | object | `{"grpcTimeout":"2m","grpcUnixSocketPath":"unix:///run/falco/falco.sock"}` | falco the configuration to connect falco. | +| falco.grpcTimeout | string | `"2m"` | grpcTimeout timout value for grpc connection. | +| falco.grpcUnixSocketPath | string | `"unix:///run/falco/falco.sock"` | grpcUnixSocketPath path to the falco's grpc unix socket. | +| fullnameOverride | string | `""` | fullNameOverride same as nameOverride but for the full name. | +| grafanaDashboard | object | `{"enabled":false,"folder":"","namespace":"default","prometheusDatasourceName":"Prometheus"}` | grafanaDashboard contains the configuration related to grafana dashboards. | +| grafanaDashboard.enabled | bool | `false` | enabled specifies whether the dashboard should be deployed. | +| grafanaDashboard.folder | string | `""` | folder where the dashboard is stored by grafana. | +| grafanaDashboard.namespace | string | `"default"` | namespace specifies the namespace for the configmap. | +| grafanaDashboard.prometheusDatasourceName | string | `"Prometheus"` | prometheusDatasourceName name of the data source. | +| healthChecks | object | `{"livenessProbe":{"initialDelaySeconds":60,"periodSeconds":15,"probesPort":19376,"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":30,"periodSeconds":15,"probesPort":19376,"timeoutSeconds":5}}` | healthChecks contains the configuration for liveness and readiness probes. | +| healthChecks.livenessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":15,"probesPort":19376,"timeoutSeconds":5}` | livenessProbe is a diagnostic mechanism used to determine weather a container within a Pod is still running and healthy. | +| healthChecks.livenessProbe.initialDelaySeconds | int | `60` | initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. | +| healthChecks.livenessProbe.periodSeconds | int | `15` | periodSeconds specifies the interval at which the liveness probe will be repeated. | +| healthChecks.livenessProbe.probesPort | int | `19376` | probesPort is liveness probes port. | +| healthChecks.livenessProbe.timeoutSeconds | int | `5` | timeoutSeconds number of seconds after which the probe times out. | +| healthChecks.readinessProbe | object | `{"initialDelaySeconds":30,"periodSeconds":15,"probesPort":19376,"timeoutSeconds":5}` | readinessProbe is a mechanism used to determine whether a container within a Pod is ready to serve traffic. | +| healthChecks.readinessProbe.initialDelaySeconds | int | `30` | initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. | +| healthChecks.readinessProbe.periodSeconds | int | `15` | periodSeconds specifies the interval at which the readiness probe will be repeated. | +| healthChecks.readinessProbe.timeoutSeconds | int | `5` | timeoutSeconds is the number of seconds after which the probe times out. | +| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falco-exporter","tag":"0.8.3"}` | image is the configuration for the exporter image. | +| image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the policy used to determine when a node should attempt to pull the container image. | +| image.registry | string | `"docker.io"` | registry is the image registry to pull from. | +| image.repository | string | `"falcosecurity/falco-exporter"` | repository is the image repository to pull from. | +| image.tag | string | `"0.8.3"` | tag is image tag to pull. | +| imagePullSecrets | list | `[]` | pullSecrets a list of secrets containing credentials used when pulling from private/secure registries. | +| nameOverride | string | `""` | nameOverride is the new name used to override the release name used for exporter's components. | +| nodeSelector | object | `{}` | nodeSelector specifies a set of key-value pairs that must match labels assigned to nodes for the Pod to be eligible for scheduling on that node | +| podSecurityContext | object | `{}` | podSecurityPolicy holds the security policy settings for the pod. | +| podSecurityPolicy | object | `{"annotations":{},"create":false,"name":""}` | podSecurityPolicy holds the security policy settings for the pod. | +| podSecurityPolicy.annotations | object | `{}` | annotations to add to the PSP, Role and RoleBinding | +| podSecurityPolicy.create | bool | `false` | create specifies whether a PSP, Role and RoleBinding should be created | +| podSecurityPolicy.name | string | `""` | name of the PSP, Role and RoleBinding to use. If not set and create is true, a name is generated using the fullname template | +| priorityClassName | string | `""` | priorityClassName specifies the name of the PriorityClass for the pods. | +| prometheusRules.alerts.additionalAlerts | object | `{}` | | +| prometheusRules.alerts.alert.enabled | bool | `true` | | +| prometheusRules.alerts.alert.rate_interval | string | `"5m"` | | +| prometheusRules.alerts.alert.threshold | int | `0` | | +| prometheusRules.alerts.critical.enabled | bool | `true` | | +| prometheusRules.alerts.critical.rate_interval | string | `"5m"` | | +| prometheusRules.alerts.critical.threshold | int | `0` | | +| prometheusRules.alerts.emergency.enabled | bool | `true` | | +| prometheusRules.alerts.emergency.rate_interval | string | `"1m"` | | +| prometheusRules.alerts.emergency.threshold | int | `0` | | +| prometheusRules.alerts.error.enabled | bool | `true` | | +| prometheusRules.alerts.error.rate_interval | string | `"5m"` | | +| prometheusRules.alerts.error.threshold | int | `0` | | +| prometheusRules.alerts.warning.enabled | bool | `true` | | +| prometheusRules.alerts.warning.rate_interval | string | `"5m"` | | +| prometheusRules.alerts.warning.threshold | int | `0` | | +| prometheusRules.enabled | bool | `false` | enabled specifies whether the prometheus rules should be deployed. | +| resources | object | `{}` | resources defines the computing resources (CPU and memory) that are allocated to the containers running within the Pod. | +| scc.create | bool | `true` | | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"seccompProfile":{"type":"RuntimeDefault"}}` | securityContext holds the security context for the daemonset. | +| securityContext.capabilities | object | `{"drop":["ALL"]}` | capabilities to be assigned to the daemonset. | +| service | object | `{"annotations":{"prometheus.io/port":"9376","prometheus.io/scrape":"true"},"clusterIP":"None","labels":{},"mTLS":{"enabled":false},"port":9376,"targetPort":9376,"type":"ClusterIP"}` | service exposes the exporter service to be accessed from within the cluster. | +| service.annotations | object | `{"prometheus.io/port":"9376","prometheus.io/scrape":"true"}` | annotations set of annotations to be applied to the service. | +| service.clusterIP | string | `"None"` | clusterIP set to none. It's headless service. | +| service.labels | object | `{}` | labels set of labels to be applied to the service. | +| service.mTLS | object | `{"enabled":false}` | mTLS mutual TLS for HTTP metrics server. | +| service.mTLS.enabled | bool | `false` | enabled specifies whether the mTLS should be enabled. | +| service.port | int | `9376` | port is the port on which the Service will listen. | +| service.targetPort | int | `9376` | targetPort is the port on which the Pod is listening. | +| service.type | string | `"ClusterIP"` | type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible from within the cluster. | +| serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | serviceAccount is the configuration for the service account. | +| serviceAccount.name | string | `""` | name is the name of the service account to use. If not set and create is true, a name is generated using the fullname template. If set and create is false, an already existing serviceAccount must be provided. | +| serviceMonitor | object | `{"additionalLabels":{},"enabled":false,"interval":"","scrapeTimeout":""}` | serviceMonitor holds the configuration for the ServiceMonitor CRD. A ServiceMonitor is a custom resource definition (CRD) used to configure how Prometheus should discover and scrape metrics from the exporter service. | +| serviceMonitor.additionalLabels | object | `{}` | additionalLabels specifies labels to be added on the Service Monitor. | +| serviceMonitor.enabled | bool | `false` | enable the deployment of a Service Monitor for the Prometheus Operator. | +| serviceMonitor.interval | string | `""` | interval specifies the time interval at which Prometheus should scrape metrics from the service. | +| serviceMonitor.scrapeTimeout | string | `""` | scrapeTimeout determines the maximum time Prometheus should wait for a target to respond to a scrape request. If the target does not respond within the specified timeout, Prometheus considers the scrape as failed for that target. | +| tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | tolerations are applied to pods and allow them to be scheduled on nodes with matching taints. | diff --git a/charts/falco-exporter/values.yaml b/charts/falco-exporter/values.yaml index 493e9bf5..6b8e612c 100644 --- a/charts/falco-exporter/values.yaml +++ b/charts/falco-exporter/values.yaml @@ -2,92 +2,121 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# -- service exposes the exporter service to be accessed from within the cluster. service: + # -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible + # from within the cluster. type: ClusterIP + # -- clusterIP set to none. It's headless service. clusterIP: None + # -- port is the port on which the Service will listen. port: 9376 + # -- targetPort is the port on which the Pod is listening. targetPort: 9376 - nodePort: + # -- labels set of labels to be applied to the service. labels: {} + # -- annotations set of annotations to be applied to the service. annotations: prometheus.io/scrape: "true" prometheus.io/port: "9376" - # Enable Mutual TLS for HTTP metrics server + # -- mTLS mutual TLS for HTTP metrics server. mTLS: + # -- enabled specifies whether the mTLS should be enabled. enabled: false +# -- healthChecks contains the configuration for liveness and readiness probes. healthChecks: + # -- livenessProbe is a diagnostic mechanism used to determine weather a container within a Pod is still running and healthy. livenessProbe: - # liveness probes port + # -- probesPort is liveness probes port. probesPort: 19376 - # -- Tells the kubelet that it should wait X seconds before performing the first probe. + # -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. initialDelaySeconds: 60 - # -- Number of seconds after which the probe times out. + # -- timeoutSeconds number of seconds after which the probe times out. timeoutSeconds: 5 - # -- Specifies that the kubelet should perform the check every x seconds. + # -- periodSeconds specifies the interval at which the liveness probe will be repeated. periodSeconds: 15 + # -- readinessProbe is a mechanism used to determine whether a container within a Pod is ready to serve traffic. readinessProbe: - # readiness probes port + # probesPort is readiness probes port probesPort: 19376 - # -- Tells the kubelet that it should wait X seconds before performing the first probe. + # -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. initialDelaySeconds: 30 - # -- Number of seconds after which the probe times out. + # -- timeoutSeconds is the number of seconds after which the probe times out. timeoutSeconds: 5 - # -- Specifies that the kubelet should perform the check every x seconds. + # -- periodSeconds specifies the interval at which the readiness probe will be repeated. periodSeconds: 15 +# -- image is the configuration for the exporter image. image: + # -- registry is the image registry to pull from. registry: docker.io + # -- repository is the image repository to pull from. repository: falcosecurity/falco-exporter - tag: 0.8.3 + # -- tag is image tag to pull. + tag: "0.8.3" + # -- pullPolicy is the policy used to determine when a node should attempt to pull the container image. pullPolicy: IfNotPresent +# -- pullSecrets a list of secrets containing credentials used when pulling from private/secure registries. imagePullSecrets: [] +# -- nameOverride is the new name used to override the release name used for exporter's components. nameOverride: "" +# -- fullNameOverride same as nameOverride but for the full name. fullnameOverride: "" -priorityClassName: +# -- priorityClassName specifies the name of the PriorityClass for the pods. +priorityClassName: "" +# -- falco the configuration to connect falco. falco: + # -- grpcUnixSocketPath path to the falco's grpc unix socket. grpcUnixSocketPath: "unix:///run/falco/falco.sock" + # -- grpcTimeout timout value for grpc connection. grpcTimeout: 2m +# -- serviceAccount is the configuration for the service account. serviceAccount: - # Specifies whether a service account should be created + # create specifies whether a service account should be created. create: true - # Annotations to add to the service account + # annotations to add to the service account annotations: {} - # The name of the service account to use. + # -- name is the name of the service account to use. # If not set and create is true, a name is generated using the fullname template. # If set and create is false, an already existing serviceAccount must be provided. - name: + name: "" +# -- podSecurityPolicy holds the security policy settings for the pod. podSecurityPolicy: - # Specifies whether a PSP, Role and RoleBinding should be created + # -- create specifies whether a PSP, Role and RoleBinding should be created create: false - # Annotations to add to the PSP, Role and RoleBinding + # -- annotations to add to the PSP, Role and RoleBinding annotations: {} - # The name of the PSP, Role and RoleBinding to use. + # -- name of the PSP, Role and RoleBinding to use. # If not set and create is true, a name is generated using the fullname template - name: + name: "" +# -- podSecurityPolicy holds the security policy settings for the pod. podSecurityContext: {} # fsGroup: 2000 +# -- daemonset holds the configuration for the daemonset. daemonset: - # Perform rolling updates by default in the DaemonSet agent + # updateStrategy perform rolling updates by default in the DaemonSet agent # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ updateStrategy: - # You can also customize maxUnavailable or minReadySeconds if you - # need it + # type of the strategy. Can also customize maxUnavailable or minReadySeconds based on your needs. type: RollingUpdate - # Annotations to add to the DaemonSet pods + # -- annotations to add to the DaemonSet pods. annotations: {} + # -- podLabels labels to add to the pods. podLabels: {} +# -- securityContext holds the security context for the daemonset. securityContext: + # -- capabilities to be assigned to the daemonset. capabilities: drop: - ALL @@ -97,6 +126,8 @@ securityContext: seccompProfile: type: RuntimeDefault + +# -- resources defines the computing resources (CPU and memory) that are allocated to the containers running within the Pod. resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -110,38 +141,54 @@ resources: # cpu: 100m # memory: 128Mi +# -- nodeSelector specifies a set of key-value pairs that must match labels assigned to nodes +# for the Pod to be eligible for scheduling on that node nodeSelector: {} -# -- Tolerations to run on Kubernetes control planes. +# -- tolerations are applied to pods and allow them to be scheduled on nodes with matching taints. tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane +# -- affinity allows pod placement based on node characteristics, or any other custom labels assigned to nodes. affinity: {} + +# -- serviceMonitor holds the configuration for the ServiceMonitor CRD. +# A ServiceMonitor is a custom resource definition (CRD) used to configure how Prometheus should +# discover and scrape metrics from the exporter service. serviceMonitor: - # Enable the deployment of a Service Monitor for the Prometheus Operator. + # -- enable the deployment of a Service Monitor for the Prometheus Operator. enabled: false - # Specify Additional labels to be added on the Service Monitor. + # -- additionalLabels specifies labels to be added on the Service Monitor. additionalLabels: {} - # Specify a user defined interval. When not specified Prometheus default interval is used. + # -- interval specifies the time interval at which Prometheus should scrape metrics from the service. interval: "" - # Specify a user defined scrape timeout. When not specified Prometheus default scrape timeout is used. + # -- scrapeTimeout determines the maximum time Prometheus should wait for a target to respond to a scrape request. + # If the target does not respond within the specified timeout, Prometheus considers the scrape as failed for + # that target. scrapeTimeout: "" +# -- grafanaDashboard contains the configuration related to grafana dashboards. grafanaDashboard: + # -- enabled specifies whether the dashboard should be deployed. enabled: false - folder: + # -- folder where the dashboard is stored by grafana. + folder: "" + # -- namespace specifies the namespace for the configmap. namespace: default + # -- prometheusDatasourceName name of the data source. prometheusDatasourceName: Prometheus + scc: # true here enabled creation of Security Context Constraints in Openshift create: true -# Create PrometheusRules for alerting on priority events +# prometheusRules holds the configuration for alerting on priority events. prometheusRules: + # -- enabled specifies whether the prometheus rules should be deployed. enabled: false alerts: warning: From 9e359ba175dd4a6247f6ab176dbd1d4134ac5053 Mon Sep 17 00:00:00 2001 From: Aldo Lacuku Date: Tue, 13 Feb 2024 12:30:18 +0100 Subject: [PATCH 3/3] update(falco-exporter): bump chart and update changelog Signed-off-by: Aldo Lacuku --- charts/falco-exporter/CHANGELOG.md | 5 +++++ charts/falco-exporter/Chart.yaml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/falco-exporter/CHANGELOG.md b/charts/falco-exporter/CHANGELOG.md index 561b815f..59951a0d 100644 --- a/charts/falco-exporter/CHANGELOG.md +++ b/charts/falco-exporter/CHANGELOG.md @@ -3,6 +3,11 @@ This file documents all notable changes to `falco-exporter` Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v0.9.10 + +* update configuration values in README.md +* introduce helm docs for the chart + ## v0.9.9 * update tolerations diff --git a/charts/falco-exporter/Chart.yaml b/charts/falco-exporter/Chart.yaml index 892dd340..00b1d37d 100644 --- a/charts/falco-exporter/Chart.yaml +++ b/charts/falco-exporter/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.9.9 +version: 0.9.10 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application.