This file documents all notable changes to Falco Helm Chart. The release numbering uses semantic versioning.
- fix docs
- bump falcosidekick dependency version to v0.7.15 install latest version through falco chart
- fix(falco/helpers): adjust formatting to be compatible with older helm versions
- fix(falco/README): dead link
- fix(falco/README): typos, formatting and broken links
- Bump falco to v0.37.1 and falcoctl to v0.7.2
- Fix links in output after falco install without sidekick
- Update README.md.
- Reintroduce the service account.
The new chart introduces some breaking changes. For folks upgrading Falco please see the BREAKING-CHANGES.md file.
- Uniform driver names and configuration to the Falco one: falcosecurity/falco#2413;
- Fix usernames and groupnames resolution by mounting the
/etc
filesystem; - Drop old kubernetes collector related resources;
- Introduce the new k8s-metacollector and k8smeta plugin (experimental);
- Enable the dependency resolver for artifacts in falcoctl since the Falco image does not ship anymore the plugins;
- Bump Falco to 0.37.0;
- Bump falcoctl to 0.7.0.
- Upgrade falcosidekick chart to
v0.7.11
.
- no changes to the chart itself. Updated README.md and makefile.
- Add mTLS cryptographic material load via Helm for Falco
- Upgrade Falco to 0.36.2: https://github.com/falcosecurity/falco/releases/tag/0.36.2
- Upgrade falcosidekick chart to
v0.7.7
.
- Upgrade falcosidekick chart to
v0.7.6
.
- noop change just to test the ci
- Upgrade Falco to 0.36.1: https://github.com/falcosecurity/falco/releases/tag/0.36.1
- Sync values.yaml with 0.36.1 falco.yaml config file.
- Update readme
- Upgrade Falco to 0.36. https://github.com/falcosecurity/falco/releases/tag/0.36.0
- Sync values.yaml with upstream falco.yaml config file.
- Upgrade falcoctl to 0.6.2. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.6.2
- Cleanup wrong files
- Upgrade falcosidekick chart to
v0.7.1
.
- Add
outputs
field to falco configuration
- Support configuration of revisionHistoryLimit of the deployment
- Upgrade falcosidekick chart to
v0.6.3
.
- Introduce an ability to use an additional volumeMounts for
falcoctl-artifact-install
andfalcoctl-artifact-follow
containers.
- No changes made to the falco chart, only some fixes in the makefile
- Upgrade Falco to 0.35.1. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.1
- Upgrade falcoctl to 0.5.1. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.1
- Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2
- Set falco.http_output.url to empty string in values.yaml file
- Upgrade Falco to 0.35.0. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.0
- Sync values.yaml with upstream falco.yaml config file.
- Upgrade falcoctl to 0.5.0. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.0
- The tag used to install and follow the falco rules is
1
- The tag used to install and follow the k8saudit rules is
0.6
- Use list as default for env parameter of init and follow containers
- Fix typo in values-k8audit file
- Updates the grpc-service to use the correct label selector
- Bump
falcosidekick
dependency to 0.6.1
- Update
k8saudit
section in README.md file.
- Upgrade Falco to 0.34.1
- Drop support for falcosecuriy/falco image, only the init container approach is supported out of the box;
- Simplify the driver-loader init container logic;
- Support falcoctl tool in the chart:
- Install the rulesfile artifacts;
- Follow the rulesfile artifacts in order to have the latest rules once they are released from falcosecurity org;
- Support the modern-bpf probe a new driver (experimental)
- Add a new file BREAKING_CHANGES.md to document the breaking changes and how to update the new chart.
- Bump
falcosidekick
dependency to 0.5.16
- Fix incorrect entry in v2.5.2 changelog
- Bump
falcosidekick
dependency to 0.5.14
- Fixed notes template to only include daemon set info if set to daemon set
- Update README to clarify driver behavior for chart
- Support custom dictionaries when setting environment variables
Note: this is a breaking change. If you were passing objects to extra.env
or driver.loader.initContainer.env
, you will need to update your values file to pass lists.
- Add
controller.annotations
configuration
- Bump
falcosidekick
dependency to 0.5.11
- Bump
falcosidekick
dependency to 0.5.10
- Update README for gRPC
- Update README for gVisor and GKE
- Add toleration for node-role.kubernetes.io/control-plane
- Fixed error in values.yaml comments
- Add support for Falco+gVisor
- Add new preset
values.yaml
file for gVisor-enabled GKE clusters
- Fixed incorrect spelling of
been
- Add variable namespaceOverride to allow setting release namespace in values
- Change the grpc socket path from
unix:///var/run/falco/falco.soc
tounix:///run/falco/falco.sock
. Please note that this change is potentially a breaking change if upgrading falco from a previous version and you have external consumers of the grpc socket.
- Bump Falco to 0.33.0
- Implicitly disable
syscall
source when not required - Update
values.yaml
to reflect the new configuration options in Falco 0.33.0 - Mount
/sys/module/falco
when deployed using thekernel module
- Update rulesets for falco and plugins
- Bump
falcosidekick
dependency to 0.5.9
- Fix: remove
namespace
fromclusterrole
andclusterrolebinding
metadata
- Allow setting
resources
andsecurityContext
on thefalco-driver-loader
init container
- Allow passing args to the
falco-driver-loader
init container
- Fix debugfs mount when
falco-no-driver
image and ebpf driver is used
- Upgrade Falco to 0.32.2
- Fully disable the driver when running in CI
- Correct CI values.
- Fix name of the falco certs secret.
- Fix the
certs-secret.yaml
template by correctly pointing to the root context when using the helpers.
- When using ebpf probe Falco is deployed in
privileged
mode instead ofleast privileged
.
- Fix templating for priorityClassName in pod-template.tpl
- Add ability to enable
tty
for the falco container. Needed to force falco logs to be immediately displayed as they are emitted. Useful in test/debug scenarios.
- Mount
/proc
only when syscall data source is enabled (default). This behaviour can be overridden viamounts.enforceProcMount
for edge cases where the/proc
hostPath
mount is required without having the syscall data source enabled at the same time.
- Fix templating for init containers in pod-template.tpl
- Add ability to specify extra environment variables to driver loader initContainer
update(falco/OWNERS): move inactive approvers to emeritus_approvers
- Add description for configuration variable in values.yaml
- Add linting target in Makefile
- Remove configuration values table from README.md
- Fix section titles in README.md
Note This release is a complete refactor of the Falco Helm Chart. Thus, it introduces some breaking changes. Please, do not reuse values from previous chart installations.
- Upgrade Falco to 0.32.1
- Massive refactoring of the chart implementation
- Add ability to use either a daemonset or a deployment (depending on the installation scenario)
- Add ability to specify custom network services
- New settings for the drivers configuration
- New Makefile to generate helm documentation
- Add values-k8saudit.yaml preset for the k8saudit plugin
- Fix use
load_plugins
instead ofloadPlugins
in Falco configuration - Update
containerSecurityContext
(formersecurityContext
) now takes precedence over auto configs - Move
leastPriviledged
mode under eBPF and add missingSYS_PTRACE
cap - Update group values for metadata collection under "collectors"
- Remove several settings in favour of
extra.env
- Use chart
appVersion
as default image tag - Move setting from
image.pullSecrets
toimagePullSecrets
- Add an option to set desidered replicas
- Improve selector labels
- Modernize labels and improve internal helpers
- Deprecate PSP (template removed)
- Fake event generator removed from this chart
- Bump Falco Sidekick dependency.
- Add
watchConfigFiles
value to falco README
- Bump Falco Sidekick dependency.
- Add support for DaemonSet podSecurityContext and securityContext.
- Fix the changelog for 1.19.0
- Upgrade to Falco 0.32.0 (see the Falco changelog)
- Various Falco config settings were updated for Falco 0.32.0
- Audit Log is now supported via k8saudit plugin (when enabled, syscall instrumentation will be disabled)
- dynamicBackend support for Audit Log is now deprecated
- Bump falcosidekick chart dependency (fix issue with the UI)
- Bump falcosidekick chart dependency
- Now the url to falcosidekick on NOTES.txt on falco helm chart points to the right place.
- Fix for issue 318 - Missing comma in k8s_audit_rules.yaml.
- Further fix for
--reuse-values
option after the introduction ofcrio.enabled
.
- Workaround to make this chart work with Helm
--reuse-values
option after the introduction ofcrio.enabled
.
- Added support for cri-o
Remove whitespace around falco.httpOutput.url
to fix the error libcurl error: URL using bad/illegal format or missing URL
.
- Changed
falco.httpOutput.url
so that it always overrides the default URL, even when falcosidekick is enabled. (NOTE: don't use this version, see v1.17.6)
- Upgrade to Falco 0.31.1 (see the Falco changelog)
- Update rulesets from Falco 0.31.1
- Fix quoting around
--k8s-node
- Add
leastPrivileged.enabled
configuration
- Fixed
priority
levelinfo
change toinformational
- Upgrade to Falco 0.31.0 (see the Falco changelog)
- Update rulesets from Falco 0.31.0
- Update several configuration options under the
falco
node to reflect the new Falco version - Initial plugins support
- Bump falcosidekick chart dependency
- Add
serviceAccount.annotations
configuration
- Fixed string escaping for
--k8s-node
- Upgrade to Falco 0.30.0 (see the Falco changelog)
- Update rulesets from Falco 0.30.0
- Add
kubernetesSupport.enableNodeFilter
configuration to enable node filtering when requesting pods metadata from Kubernetes - Add
falco.metadataDownload
configuration for fine-tuning container orchestrator metadata fetching params - Add
falco.jsonIncludeTagsProperty
configuration to include tags in the JSON output
- Removed
maxSurge
reference from comment in Falco'svalues.yaml
file.
- Update
Falcosidekick
chart to 0.3.13
- Update
Falcosidekick
chart to 0.3.12
- Upgrade to Falco 0.29.1 (see the Falco changelog)
- Update rulesets from Falco 0.29.1
- Add ability to use an existing secret of key, cert, ca as well as pem bundle instead of creating it from files
- Fixed liveness and readiness probes schema when ssl is enabled
- Update
Falcosidekick
chart to 0.3.8
- Update image tag to 0.29.0 in values.yaml
- Upgrade to Falco 0.29.0 (see the Falco changelog)
- Update rulesets from Falco 0.29.0
- Fixed incorrect spelling of
fullfqdn
- Fix port for readinessProbe and livenessProbe
- Add liveness and readiness probes to Falco
- Add
kubernetesSupport
configuration to make Kubernetes Falco support optional in the daemonset (enabled by default)
- Upgrade to Falco 0.28.1 (see the Falco changelog)
- Bump up version of chart for
Falcosidekick
dependency tov3.5.0
- Add
falcosidekick.fullfqdn
option to connectfalco
tofalcosidekick
with full FQDN - Bump up version of chart for
Falcosidekick
dependency
- Upgrade to Falco 0.28.0 (see the Falco changelog)
- Update rulesets from Falco 0.28.0
- Bump up version of chart for
Falcosidekick
dependency
- Bump up version of chart for
Falcosidekick
dependency
- Update rule
Write below monitored dir
description
- Add a documentation section about the driver
- Increase CPU limit default value
- Add a documentation section about using init containers
- Correct icon URL
- Update downstream sidekick chart
- Add
ebpf.probe.path
configuration option
- Bump up version of chart for
Falcosidekick
dependency
- Fix
falco
configmap whenFalcosidekick
is enabled, wrong service name was used
- Correct image tag for Falco 0.27.0
- Upgrade to Falco 0.27.0 (see the Falco changelog)
- Add
falco.output_timeout
configuration setting
- Add
falcosidekick
as an optional dependency
- Remove deprecated integrations (see #123)
- Add value
extraVolumes
, allow adding extra volumes to falco daemonset - Add value
extraVolumeMounts
, allow adding extra volumeMounts to falco container in falco daemonset
- Add
falco.webserver.sslEnabled
config, enabling SSL support - Add
falco.webserver.nodePort
configuration as an alternative way for exposing the AuditLog webhook (disabled by default)
- Support release namespace configuration
- Upgrade to Falco 0.26.2,
DRIVERS_REPO
now defaults to https://download.falco.org/?prefix=driver/ (see the Falco changelog)
- Deprecation notice for gcscc, natsOutput, snsOutput, pubsubOutput integrations
- Clean up old references from documentation
- Add Pod Security Policy Support for the fake event generator
- Replace extensions apiGroup/apiVersion because of deprecation
- Upgrade to Falco 0.26.1
- Update ruleset from Falco 0.26.1
- Automatically set the appropriate apiVersion for rbac
- Allow adding InitContainers to Falco pod with
extraInitContainers
configuration
- Upgrade to Falco 0.25.0
- Update ruleset from Falco 0.25.0
- Fix duplicate mount point problem when both gRPC and NATS integrations are enabled
- Allow configuration using values for
imagePullSecrets
setting - Add
docker.io/falcosecurity/falco
image tofalco_privileged_images
macro
- Add SecurityContextConstraint to allow deploying in Openshift
- Upgrade to Falco 0.24.0
- Update ruleset from Falco 0.24.0
- gRPC Unix Socket support
- Set default threadiness to 0 ("auto" behavior) for the gRPC server
- Switch to
falcosecurity/event-generator
- Allow configuration using values for
fakeEventGenerator.args
setting - Update ruleset
- New releasing mechanism
- Add missing privileges for the apps Kubernetes API group
- Allow client config url for Audit Sink with
auditLog.dynamicBackend.url
- Upgrade to Falco 0.23.0
- Correct socket path for
--cri
flag - Always mount
/etc
(required byfalco-driver-loader
)
- Add pod annotation support for daemonset
- Upgrade to Falco 0.21.0
- Upgrade rules to Falco 0.21.0
- Add headless service for gRPC server
- Allow gRPC certificates configuration by using
--set-file
- Make
/lib/modules
writable from the container
- Allow configuration using values for
grpc
setting - Allow configuration using values for
grpc_output
setting
- Upgrade to Falco 0.20.0
- Upgrade rules to Falco 0.20.0
- Upgrade to Falco 0.19.0
- Upgrade rules to Falco 0.19.0
- Remove Sysdig references, Falco is a project by its own name
- Revamp auditLog feature
- Upgrade to latest version (0.18.0)
- Replace CRI references with containerD
- Support multiple lines for
falco.programOutput.program
- Add affinity
- Migrate API versions from deprecated, removed versions to support Kubernetes v1.16
- Restrict the access to
/dev
on underlying host to read only
- Upgrade to Falco 0.17.1
- Upgrade rules to Falco 0.17.1
- Allow configuration using values for
nodeSelector
setting
- Falco does a rollingUpgrade when the falco or falco-rules configMap changes with a helm upgrade
- Add 3 resources (
daemonsets
,deployments
,replicasets
) to the ClusterRole resource list Ref: PR#514 from Falco repository
- Upgrade to Falco 0.17.0
- Upgrade rules to Falco 0.17.0
- Support
priorityClassName
- Upgrade to Falco 0.16.0
- Upgrade rules to Falco 0.16.0
- Extra environment variables passed to daemonset pods
- Add support for K8s audit logging
- Allow configuration using values for
time_format_iso8601
setting - Allow configuration using values for
syscall_event_drops
setting - Allow configuration using values for
http_output
setting - Add CHANGELOG entry for v0.8.0, not present on its PR
- Add nestorsalceda as an approver
- Allow configuration of Pod Security Policy. This is needed to get Falco running when the Admission Controller is enabled.
- Fix bug with Google Cloud Security Command Center and Falco integration
- Upgrade to Falco 0.15.3
- Upgrade rules to Falco 0.15.3
- Add TZ parameter for time correlation in Falco logs
- Upgrade to Falco 0.15.1
- Upgrade rules to Falco 0.15.1
- Allow to enable/disable usage of the docker socket
- Configurable docker socket path
- CRI support, configurable CRI socket
- Allow to enable/disable usage of the CRI socket
- Upgrade to Falco 0.15.0
- Upgrade rules to Falco 0.15.0
- Use the KUBERNETES_SERVICE_HOST environment variable to connect to Kubernetes API instead of using a fixed name
- Remove the toJson pipeline when storing Google Credentials. It makes strange stuff with double quotes and does not allow to use base64 encoded credentials
- Fix typos in README.md
- Add Google Pub/Sub Output integration
- Disable eBPF by default on Falco. We activated eBPF by default to make the CI pass, but now we found a better method to make the CI pass without bothering our users.
- Upgrade to Falco 0.14.0
- Upgrade rules to Falco 0.14.0
- Enable eBPF by default on Falco
- Allow to download Falco images from different registries than
docker.io
- Use rollingUpdate strategy by default
- Provide sane defauls for falco resource management
- Allow extra container args
- Update correct slack example
- Using Falco version 0.13.0 instead of latest.
- Update falco_rules.yaml file to use the same rules that Falco 0.13.0
- Falco was accepted as a CNCF project. Fix references and download image from falcosecurity organization.
- Allow falco to resolve cluster hostnames when running with ebpf.hostNetwork: true
- Add Amazon SNS Output integration
- Allow Falco to be run with a HTTP proxy server
- Mount in memory volume for shm. It was used in volumes but was not mounted.
- Add eBPF support for Falco. Falco can now read events via an eBPF program
loaded into the kernel instead of the
falco-probe
kernel module.
- Update falco_rules.yaml file to use the same rules that Falco 0.11.1
- Add NATS Output integration
- Fix value mismatch between code and documentation
- Fix several typos
- Initial release of Sysdig Falco Helm Chart