falco-addon #1922
falco-addon #1922
Conversation
| refresh_opt_in_config "audit-webhook-config-file" "${SNAP_DATA}/args/auditlogging/webhook-config-falco.yaml" kube-apiserver | ||
| refresh_opt_in_config "audit-webhook-batch-max-wait" "5s" kube-apiserver | ||
| AGENT_SERVICE_CLUSTERIP="$($KUBECTL get svc sysdig-agent -o=jsonpath={.spec.clusterIP} -n sysdig-agent)" envsubst < "${SNAP_DATA}/args/auditlogging/webhook-config.yaml" > "${SNAP_DATA}/args/auditlogging/webhook-config-falco.yaml" | ||
| run_with_sudo preserve_env snapctl restart "${SNAP_NAME}.daemon-apiserver" |
There was a problem hiding this comment.
This may not work on multi nodes. It will only restart the apiserver on the node where the addon is enabled.
Need to use the helper function restart_service apiserver
There was a problem hiding this comment.
yes changed to helper function
| @@ -0,0 +1,69 @@ | |||
| apiVersion: audit.k8s.io/v1 # This is required. | |||
There was a problem hiding this comment.
Can we rename this file to have yaml extension?
There was a problem hiding this comment.
yes, included as yaml
tests/test-addons.py
Outdated
| print("Enabling falco") | ||
| microk8s_enable("falco") | ||
| print("Validating falco") | ||
| validate_keda() |
There was a problem hiding this comment.
There's some mistake on what is validating here. I guess its should be validate_falco
This can be reason why build is failing.
There was a problem hiding this comment.
Sorry, got it, changed the same
|
Hi @balasu This shows how you can run your test in your environment. https://github.com/ubuntu/microk8s/blob/master/docs/build.md#running-the-tests-locally |
tests/templates/ingress.yaml
Outdated
| @@ -18,7 +18,7 @@ spec: | |||
| app: microbot | |||
| spec: | |||
| containers: | |||
| - image: cdkbot/microbot-$ARCH | |||
| - image: cdkbot/microbot-amd64 | |||
There was a problem hiding this comment.
You accidentally committed the amd64
There was a problem hiding this comment.
yes its from the test template,did a correction for it
|
@balasu is this still a WIP? Let me know when you want a review. |
Hi please review:) |
| @@ -0,0 +1,69 @@ | |||
| apiVersion: audit.k8s.io/v1 # This is required. | |||
There was a problem hiding this comment.
Do not place yaml files under actions because they are considered addons. In this case for example you have created a microk8s enable kube-api-audit addon.
What you should do is to create a falco directory under actions and put all your yamls inside there.
| @@ -0,0 +1,344 @@ | |||
| # Default values for Falco. | |||
There was a problem hiding this comment.
Same here, create a directory named falco under actions and place the manifest there.
|
|
||
| containerd: | ||
| enabled: true | ||
| socket: /run/containerd/containerd.sock |
There was a problem hiding this comment.
How is this used? I am asking because the containerd socket in MicroK8s is not in this path.
| refresh_opt_in_config "audit-log-maxbackup" "3" kube-apiserver | ||
| refresh_opt_in_config "audit-log-maxsize" "1024" kube-apiserver | ||
| refresh_opt_in_config "audit-log-maxage" "30" kube-apiserver | ||
| refresh_opt_in_config "audit-log-path" "/var/log/kube-apiserver-audit.log" kube-apiserver |
There was a problem hiding this comment.
Let's not polute the host filesystem. Should we keep the MicroK8s logs under SNAP_COMON.
|
|
||
| NAMESPACE_PTR="sysdig-agent" | ||
|
|
||
| MANIFEST_PTR="https://raw.githubusercontent.com/draios/sysdig-cloud-scripts/master/agent_deploy/kubernetes/sysdig-agent-service.yaml" |
There was a problem hiding this comment.
I think getting the manifest from the master will be a problem.
- Are you certain the master will always work? It is not a release so there might be a commit that temporarily breaks the master causing microk8s.enable falco to fail.
- It makes it really hard for us to have reproducible deployments. Let's say someone opens a issue saying 'falco did not work for me', how would you know what did the user deploy?
- You pair a manifest with the default values that lives in the snap with the manifests in the master branch. How can you be sure that the default values manifest will stay exactly the same as falco evolves?
- Are you sure that the falco master branch will deploy correctly on kubernetes v1.21 after 2 year? I am not.
Please select a specific release to deploy from https://github.com/falcosecurity/falco/releases
| pullPolicy: IfNotPresent | ||
| pullSecrets: [] | ||
|
|
||
| docker: |
There was a problem hiding this comment.
Not sure how this variable is used, but in MicroK8s there is no docker.
| version: "0.26.2" | ||
| check_status: "pod/falco" | ||
| supported_architectures: | ||
| - arm64 |
There was a problem hiding this comment.
Is deployments on ARM64 tested enough? Looking at [1, 2,3] it is not clear to me what the state of ARM64 builds/configurations is.
Maybe we should have this addon for amd64 for now?
[1] falcosecurity/falco#520
[2] falcosecurity/falco#1442
[3] xunholy/k8s-gitops#152
Thank you for making MicroK8s better
Please reference the issue this PR is fixing, or provide a description of the problem addressed.
Also verify you have: