falco ConfigMap diff in live vs desired state - using ArgoCD

[flickers]

Describe the bug
We are using the latest (4.5.1) falco helm chart to deploy falco to our clusters using ArgoCD
After a while (minute or so) we see a diff in the live falco configMap vs. desired configMap (rendered from the falco helm chart)
Mostly this is due to incorrect indentation but also due to different yaml scalars

How to reproduce it
Deploy falco using helm and then compare the falco configMap against the rendered falco configMap. Or deploy using ArgoCD

Expected behaviour
We expect the live and desired state to match after we deploy falco using helm and ArgoCD

Screenshots

Environment

• Falco version:

falco --version
Tue Jun 25 14:00:56 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
Tue Jun 25 14:00:56 2024: Falco version: 0.38.1 (x86_64)
Tue Jun 25 14:00:56 2024: Falco initialized with configuration files:
Tue Jun 25 14:00:56 2024:    /etc/falco/falco.yaml
Tue Jun 25 14:00:56 2024: System info: Linux version 5.10.218-208.862.amzn2.x86_64 (mockbuild@ip-10-0-42-214) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) #1 SMP Tue Jun 4 16:52:10 UTC 2024
{"default_driver_version":"7.2.0+driver","driver_api_version":"8.0.0","driver_schema_version":"2.0.0","engine_version":"40","engine_version_semver":"0.40.0","falco_version":"0.38.1","libs_version":"0.17.2","plugin_api_version":"3.6.0"}

• System info:

falco --support | jq .system_info
Tue Jun 25 13:58:31 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
Tue Jun 25 13:58:31 2024: Falco version: 0.38.1 (x86_64)
Tue Jun 25 13:58:31 2024: Falco initialized with configuration files:
Tue Jun 25 13:58:31 2024:    /etc/falco/falco.yaml
Tue Jun 25 13:58:31 2024: System info: Linux version 5.10.218-208.862.amzn2.x86_64 (mockbuild@ip-10-0-42-214) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) #1 SMP Tue Jun 4 16:52:10 UTC 2024
Tue Jun 25 13:58:31 2024: Loading rules from file /etc/falco/falco_rules.yaml
Tue Jun 25 13:58:31 2024: Loading rules from file /etc/falco/rules.d/datadog-agent-exclude.yaml
Tue Jun 25 13:58:32 2024: Loading rules from file /etc/falco/rules.d/k8s-api-namespace-exclude.yaml
Tue Jun 25 13:58:32 2024: Loading rules from file /etc/falco/rules.d/kong-spawn-processes-exclude.yaml
{
  "machine": "x86_64",
  "nodename": "falco-2b9cd",
  "release": "5.10.218-208.862.amzn2.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Tue Jun 4 16:52:10 UTC 2024"
}

• Cloud provider or hardware configuration:
• OS: EKS - linux

• Kernel: 5.10.218-208.862.amzn2.x86_64

• Installation method:
  Kubernetes using Helm and ArgoCD

Additional context

[alacuku]

Hi @flickers, when the driver.kind is set to auto, falcoctl will automatically select the optimal driver for Falco. This selection will be updated in the Falco configmap. If you do not want this behavior then set the driver.kind to the desired driver:

charts/charts/falco/values.yaml

Line 184 in 7527d0f

kind: auto

[leogr]

/assign @alacuku