From c96a27e96ef3e316b5029a3eb9974bff8538186d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 24 Oct 2024 14:37:29 -0600 Subject: [PATCH 1/4] RFC falco: when leastPrivileged is true, set the apparmor profile to unconfined It appears that when setting leastPrivileged: true, apparmor does not not allow falco to ptrace, which appears to leave the container fields null. If leastPrivileged: true, set the apparmor profile to unconfined. Oct 24 09:52:57 hostname kernel: audit: type=1400 audit(1729785177.339:404624): apparmor="DENIED" operation="ptrace" profile="cri-containerd.apparmor.d" pid=2389102 comm="falco" requested_mask="read" denied_mask="read" peer="unconfined" Signed-off-by: doublez13 --- charts/falco/templates/pod-template.tpl | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl index 8ed3844fc..84caa2ad8 100644 --- a/charts/falco/templates/pod-template.tpl +++ b/charts/falco/templates/pod-template.tpl @@ -12,6 +12,17 @@ metadata: {{- if and .Values.certs (not .Values.certs.existingSecret) }} checksum/certs: {{ include (print $.Template.BasePath "/certs-secret.yaml") . | sha256sum }} {{- end }} + {{- if .Values.driver.enabled }} + {{- if (or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf")) }} + {{- if .Values.driver.modernEbpf.leastPrivileged }} + container.apparmor.security.beta.kubernetes.io/{{ .Chart.Name }}: unconfined + {{- end }} + {{- else if eq .Values.driver.kind "ebpf" }} + {{- if .Values.driver.ebpf.leastPrivileged }} + container.apparmor.security.beta.kubernetes.io/{{ .Chart.Name }}: unconfined + {{- end }} + {{- end }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 4 }} {{- end }} From cca8b65dc51f249c0b5f915344f99beb7699dc0b Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 28 Oct 2024 08:55:05 -0600 Subject: [PATCH 2/4] Falco: Bump chart to 4.12.0 Signed-off-by: doublez13 --- charts/falco/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index 49e6e17cd..20bd1b1e8 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: falco -version: 4.11.2 +version: 4.12.0 appVersion: "0.39.1" description: Falco keywords: From 8d809fb88f21bc42b3459611153d71a1d55866a5 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 28 Oct 2024 09:53:48 -0600 Subject: [PATCH 3/4] Update the changelog to document unconfined apparmor Signed-off-by: doublez13 --- charts/falco/CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index 2b356e3fd..9dbf0fc46 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -3,6 +3,10 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.12.0 + +* Set apparmor to `unconfined` (disabled) when `leastPrivileged: true` and (`kind: modern_ebpf` or `kind: ebpf`) + ## v4.11.2 * only prints env key if there are env values to be passed on `falcoctl.initContainer` and `falcoctl.sidecar` From 5d7c35bb31a5b5a2379a1767dbe8245ff054ff7a Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Wed, 30 Oct 2024 11:29:33 +0100 Subject: [PATCH 4/4] docs(charts/falco): update README.md Signed-off-by: Leonardo Grasso --- charts/falco/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/falco/README.md b/charts/falco/README.md index 3dbf00d62..07ca809c2 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -581,7 +581,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.11.2 and their default values. See [values.yaml](./values.yaml) for full list. +The following table lists the main configurable parameters of the falco chart v4.12.0 and their default values. See [values.yaml](./values.yaml) for full list. ## Values