Change Log

This file documents all notable changes to Falco Helm Chart. The release numbering uses semantic versioning.

v4.2.5

fix docs

v4.2.4

bump falcosidekick dependency version to v0.7.15 install latest version through falco chart

v4.2.3

fix(falco/helpers): adjust formatting to be compatible with older helm versions

v4.2.2

fix(falco/README): dead link

v4.2.1

fix(falco/README): typos, formatting and broken links

v4.2.0

Bump falco to v0.37.1 and falcoctl to v0.7.2

v4.1.2

Fix links in output after falco install without sidekick

v4.1.1

Update README.md.

v4.1.0

Reintroduce the service account.

v4.0.0

The new chart introduces some breaking changes. For folks upgrading Falco please see the BREAKING-CHANGES.md file.

Uniform driver names and configuration to the Falco one: falcosecurity/falco#2413;
Fix usernames and groupnames resolution by mounting the /etc filesystem;
Drop old kubernetes collector related resources;
Introduce the new k8s-metacollector and k8smeta plugin (experimental);
Enable the dependency resolver for artifacts in falcoctl since the Falco image does not ship anymore the plugins;
Bump Falco to 0.37.0;
Bump falcoctl to 0.7.0.

v3.8.7

Upgrade falcosidekick chart to v0.7.11.

v3.8.6

no changes to the chart itself. Updated README.md and makefile.

v3.8.5

Add mTLS cryptographic material load via Helm for Falco

v3.8.4

Upgrade Falco to 0.36.2: https://github.com/falcosecurity/falco/releases/tag/0.36.2

v3.8.3

Upgrade falcosidekick chart to v0.7.7.

v3.8.2

Upgrade falcosidekick chart to v0.7.6.

v3.8.1

noop change just to test the ci

v3.8.0

Upgrade Falco to 0.36.1: https://github.com/falcosecurity/falco/releases/tag/0.36.1
Sync values.yaml with 0.36.1 falco.yaml config file.

v3.7.1

Update readme

v3.7.0

Upgrade Falco to 0.36. https://github.com/falcosecurity/falco/releases/tag/0.36.0
Sync values.yaml with upstream falco.yaml config file.
Upgrade falcoctl to 0.6.2. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.6.2

v3.6.2

Cleanup wrong files

v3.6.1

Upgrade falcosidekick chart to v0.7.1.

v3.6.0

Add outputs field to falco configuration

v3.5.0

Major Changes

Support configuration of revisionHistoryLimit of the deployment

v3.4.1

Upgrade falcosidekick chart to v0.6.3.

v3.4.0

Introduce an ability to use an additional volumeMounts for falcoctl-artifact-install and falcoctl-artifact-follow containers.

v3.3.1

No changes made to the falco chart, only some fixes in the makefile

v3.3.0

Upgrade Falco to 0.35.1. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.1
Upgrade falcoctl to 0.5.1. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.1
Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2

v3.2.1

Set falco.http_output.url to empty string in values.yaml file

v3.2.0

Upgrade Falco to 0.35.0. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.0
Sync values.yaml with upstream falco.yaml config file.
Upgrade falcoctl to 0.5.0. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.0
The tag used to install and follow the falco rules is 1
The tag used to install and follow the k8saudit rules is 0.6

v3.1.5

Use list as default for env parameter of init and follow containers

v3.1.4

Fix typo in values-k8audit file

v3.1.3

Updates the grpc-service to use the correct label selector

v3.1.2

Bump falcosidekick dependency to 0.6.1

v3.1.1

Update k8saudit section in README.md file.

v3.1.0

Upgrade Falco to 0.34.1

v3.0.0

Drop support for falcosecuriy/falco image, only the init container approach is supported out of the box;
Simplify the driver-loader init container logic;
Support falcoctl tool in the chart:
- Install the rulesfile artifacts;
- Follow the rulesfile artifacts in order to have the latest rules once they are released from falcosecurity org;
Support the modern-bpf probe a new driver (experimental)
Add a new file BREAKING_CHANGES.md to document the breaking changes and how to update the new chart.

v2.5.5

Bump falcosidekick dependency to 0.5.16

v2.5.4

Fix incorrect entry in v2.5.2 changelog

v2.5.3

Bump falcosidekick dependency to 0.5.14

v2.5.2

Fixed notes template to only include daemon set info if set to daemon set

v2.5.1

Update README to clarify driver behavior for chart

v2.5.0

Support custom dictionaries when setting environment variables

Note: this is a breaking change. If you were passing objects to extra.env or driver.loader.initContainer.env , you will need to update your values file to pass lists.

v2.4.7

Add controller.annotations configuration

v2.4.6

Bump falcosidekick dependency to 0.5.11

v2.4.5

Bump falcosidekick dependency to 0.5.10

v2.4.4

Update README for gRPC

v2.4.3

Update README for gVisor and GKE

v2.4.2

Add toleration for node-role.kubernetes.io/control-plane

v2.4.1

Fixed error in values.yaml comments

v2.4.0

Add support for Falco+gVisor
Add new preset values.yaml file for gVisor-enabled GKE clusters

v2.3.1

Fixed incorrect spelling of been

v2.3.0

Add variable namespaceOverride to allow setting release namespace in values

v2.2.0

Change the grpc socket path from unix:///var/run/falco/falco.soc to unix:///run/falco/falco.sock. Please note that this change is potentially a breaking change if upgrading falco from a previous version and you have external consumers of the grpc socket.

v2.1.0

Bump Falco to 0.33.0
Implicitly disable syscall source when not required
Update values.yaml to reflect the new configuration options in Falco 0.33.0
Mount /sys/module/falco when deployed using the kernel module
Update rulesets for falco and plugins

v2.0.18

Bump falcosidekick dependency to 0.5.9

v2.0.17

Fix: remove namespace from clusterrole and clusterrolebinding metadata

v2.0.16

Allow setting resources and securityContext on the falco-driver-loader init container

v2.0.15

Allow passing args to the falco-driver-loader init container

v2.0.14

Fix debugfs mount when falco-no-driver image and ebpf driver is used

v2.0.13

Upgrade Falco to 0.32.2

v2.0.12

Fully disable the driver when running in CI

v2.0.11

Correct CI values.

v2.0.10

Fix name of the falco certs secret.

v2.0.9

Fix the certs-secret.yaml template by correctly pointing to the root context when using the helpers.

v2.0.8

When using ebpf probe Falco is deployed in privileged mode instead of least privileged.

v2.0.7

Fix templating for priorityClassName in pod-template.tpl

v2.0.6

Add ability to enable tty for the falco container. Needed to force falco logs to be immediately displayed as they are emitted. Useful in test/debug scenarios.

v2.0.5

Mount /proc only when syscall data source is enabled (default). This behaviour can be overridden via mounts.enforceProcMount for edge cases where the /proc hostPath mount is required without having the syscall data source enabled at the same time.

v2.0.4

Fix templating for init containers in pod-template.tpl

v2.0.3

Add ability to specify extra environment variables to driver loader initContainer

v2.0.2

update(falco/OWNERS): move inactive approvers to emeritus_approvers

v2.0.1

Add description for configuration variable in values.yaml
Add linting target in Makefile
Remove configuration values table from README.md
Fix section titles in README.md

v2.0.0

Note This release is a complete refactor of the Falco Helm Chart. Thus, it introduces some breaking changes. Please, do not reuse values from previous chart installations.

Upgrade Falco to 0.32.1
Massive refactoring of the chart implementation
Add ability to use either a daemonset or a deployment (depending on the installation scenario)
Add ability to specify custom network services
New settings for the drivers configuration
New Makefile to generate helm documentation
Add values-k8saudit.yaml preset for the k8saudit plugin
Fix use load_plugins instead of loadPlugins in Falco configuration
Update containerSecurityContext (former securityContext) now takes precedence over auto configs
Move leastPriviledged mode under eBPF and add missing SYS_PTRACE cap
Update group values for metadata collection under "collectors"
Remove several settings in favour of extra.env
Use chart appVersion as default image tag
Move setting from image.pullSecrets to imagePullSecrets
Add an option to set desidered replicas
Improve selector labels
Modernize labels and improve internal helpers
Deprecate PSP (template removed)
Fake event generator removed from this chart

v1.19.4

Bump Falco Sidekick dependency.

v1.19.3

Add watchConfigFiles value to falco README

v1.19.2

Bump Falco Sidekick dependency.
Add support for DaemonSet podSecurityContext and securityContext.

v1.19.1

Fix the changelog for 1.19.0

v1.19.0

Upgrade to Falco 0.32.0 (see the Falco changelog)
Various Falco config settings were updated for Falco 0.32.0

Breaking Changes

Audit Log is now supported via k8saudit plugin (when enabled, syscall instrumentation will be disabled)
dynamicBackend support for Audit Log is now deprecated

v1.18.6

Bump falcosidekick chart dependency (fix issue with the UI)

v1.18.5

Bump falcosidekick chart dependency

v1.18.4

Now the url to falcosidekick on NOTES.txt on falco helm chart points to the right place.

v1.18.3

Fix for issue 318 - Missing comma in k8s_audit_rules.yaml.

v1.18.2

Further fix for --reuse-values option after the introduction of crio.enabled.

v1.18.1

Workaround to make this chart work with Helm --reuse-values option after the introduction of crio.enabled.

v1.18.0

Added support for cri-o

v1.17.6

Remove whitespace around falco.httpOutput.url to fix the error libcurl error: URL using bad/illegal format or missing URL.

v1.17.5

Changed falco.httpOutput.url so that it always overrides the default URL, even when falcosidekick is enabled. (NOTE: don't use this version, see v1.17.6)

v1.17.4

Upgrade to Falco 0.31.1 (see the Falco changelog)
Update rulesets from Falco 0.31.1

v1.17.3

Fix quoting around --k8s-node

v1.17.2

Add leastPrivileged.enabled configuration

v1.17.1

Fixed priority level info change to informational

v1.17.0

Upgrade to Falco 0.31.0 (see the Falco changelog)
Update rulesets from Falco 0.31.0
Update several configuration options under the falco node to reflect the new Falco version
Initial plugins support

v1.16.4

Bump falcosidekick chart dependency

v1.16.2

Add serviceAccount.annotations configuration

v1.16.1

Fixed string escaping for --k8s-node

v1.16.0

Upgrade to Falco 0.30.0 (see the Falco changelog)
Update rulesets from Falco 0.30.0
Add kubernetesSupport.enableNodeFilter configuration to enable node filtering when requesting pods metadata from Kubernetes
Add falco.metadataDownload configuration for fine-tuning container orchestrator metadata fetching params
Add falco.jsonIncludeTagsProperty configuration to include tags in the JSON output

v1.15.7

Removed maxSurge reference from comment in Falco's values.yaml file.

v1.15.6

Update Falcosidekick chart to 0.3.13

v1.15.4

Update Falcosidekick chart to 0.3.12

v1.15.3

Upgrade to Falco 0.29.1 (see the Falco changelog)
Update rulesets from Falco 0.29.1

v1.15.2

Add ability to use an existing secret of key, cert, ca as well as pem bundle instead of creating it from files

v1.15.1

Fixed liveness and readiness probes schema when ssl is enabled

v1.14.1

Update Falcosidekick chart to 0.3.8

v1.14.1

Update image tag to 0.29.0 in values.yaml

v1.14.0

Upgrade to Falco 0.29.0 (see the Falco changelog)
Update rulesets from Falco 0.29.0

v1.13.2

Fixed incorrect spelling of fullfqdn

v1.13.1

Fix port for readinessProbe and livenessProbe

v1.13.0

Add liveness and readiness probes to Falco

v1.12.0

Add kubernetesSupport configuration to make Kubernetes Falco support optional in the daemonset (enabled by default)

v1.11.1

Upgrade to Falco 0.28.1 (see the Falco changelog)

v1.11.0

Bump up version of chart for Falcosidekick dependency to v3.5.0

v1.10.0

Add falcosidekick.fullfqdn option to connect falco to falcosidekick with full FQDN
Bump up version of chart for Falcosidekick dependency

v1.9.0

Upgrade to Falco 0.28.0 (see the Falco changelog)
Update rulesets from Falco 0.28.0

v1.8.1

Bump up version of chart for Falcosidekick dependency

v1.8.0

Bump up version of chart for Falcosidekick dependency

v1.7.10

Update rule Write below monitored dir description

v1.7.9

Add a documentation section about the driver

v1.7.8

Increase CPU limit default value

v1.7.7

Add a documentation section about using init containers

v1.7.6

Correct icon URL

v1.7.5

Update downstream sidekick chart

v1.7.4

Add ebpf.probe.path configuration option

v1.7.3

Bump up version of chart for Falcosidekick dependency

v1.7.2

Fix falco configmap when Falcosidekick is enabled, wrong service name was used

v1.7.1

Correct image tag for Falco 0.27.0

v1.7.0

Upgrade to Falco 0.27.0 (see the Falco changelog)
Add falco.output_timeout configuration setting

v1.6.1

Minor Changes

Add falcosidekick as an optional dependency

v1.6.0

Minor Changes

Remove deprecated integrations (see #123)

v1.5.8

Minor Changes

Add value extraVolumes, allow adding extra volumes to falco daemonset
Add value extraVolumeMounts, allow adding extra volumeMounts to falco container in falco daemonset

v1.5.6

Minor Changes

Add falco.webserver.sslEnabled config, enabling SSL support
Add falco.webserver.nodePort configuration as an alternative way for exposing the AuditLog webhook (disabled by default)

v1.5.5

Minor Changes

Support release namespace configuration

v1.5.4

Minor Changes

Upgrade to Falco 0.26.2, DRIVERS_REPO now defaults to https://download.falco.org/?prefix=driver/ (see the Falco changelog)

v1.5.3

Minor Changes

Deprecation notice for gcscc, natsOutput, snsOutput, pubsubOutput integrations
Clean up old references from documentation

v1.5.2

Minor Changes

Add Pod Security Policy Support for the fake event generator

v1.5.1

Minor Changes

Replace extensions apiGroup/apiVersion because of deprecation

v1.5.0

Minor Changes

Upgrade to Falco 0.26.1
Update ruleset from Falco 0.26.1
Automatically set the appropriate apiVersion for rbac

v1.4.0

Minor Changes

Allow adding InitContainers to Falco pod with extraInitContainers configuration

v1.3.0

Minor Changes

Upgrade to Falco 0.25.0
Update ruleset from Falco 0.25.0

v1.2.3

Minor Changes

Fix duplicate mount point problem when both gRPC and NATS integrations are enabled

v1.2.2

Minor Changes

Allow configuration using values for imagePullSecrets setting
Add docker.io/falcosecurity/falco image to falco_privileged_images macro

v1.2.1

Minor Changes

Add SecurityContextConstraint to allow deploying in Openshift

v1.2.0

Minor Changes

Upgrade to Falco 0.24.0
Update ruleset from Falco 0.24.0
gRPC Unix Socket support
Set default threadiness to 0 ("auto" behavior) for the gRPC server

v1.1.10

Minor Changes

Switch to falcosecurity/event-generator
Allow configuration using values for fakeEventGenerator.args setting
Update ruleset
New releasing mechanism

v1.1.9

Minor Changes

Add missing privileges for the apps Kubernetes API group
Allow client config url for Audit Sink with auditLog.dynamicBackend.url

v1.1.8

Minor Changes

Upgrade to Falco 0.23.0
Correct socket path for --cri flag
Always mount /etc (required by falco-driver-loader)

v1.1.7

Minor Changes

Add pod annotation support for daemonset

v1.1.6

Minor Changes

Upgrade to Falco 0.21.0
Upgrade rules to Falco 0.21.0

v1.1.5

Minor Changes

Add headless service for gRPC server
Allow gRPC certificates configuration by using --set-file

v1.1.4

Minor Changes

Make /lib/modules writable from the container

v1.1.3

Minor Changes

Allow configuration using values for grpc setting
Allow configuration using values for grpc_output setting

v1.1.2

Minor Changes

Upgrade to Falco 0.20.0
Upgrade rules to Falco 0.20.0

v1.1.1

Minor Changes

Upgrade to Falco 0.19.0
Upgrade rules to Falco 0.19.0
Remove Sysdig references, Falco is a project by its own name

v1.1.0

Minor Changes

Revamp auditLog feature
Upgrade to latest version (0.18.0)
Replace CRI references with containerD

v1.0.12

Minor Changes

Support multiple lines for falco.programOutput.program

v1.0.11

Minor Changes

Add affinity

v1.0.10

Minor Changes

Migrate API versions from deprecated, removed versions to support Kubernetes v1.16

v1.0.9

Minor Changes

Restrict the access to /dev on underlying host to read only

v1.0.8

Minor Changes

Upgrade to Falco 0.17.1
Upgrade rules to Falco 0.17.1

v1.0.7

Minor Changes

Allow configuration using values for nodeSelector setting

v1.0.6

Minor Changes

Falco does a rollingUpgrade when the falco or falco-rules configMap changes with a helm upgrade

v1.0.5

Minor Changes

Add 3 resources (daemonsets, deployments, replicasets) to the ClusterRole resource list Ref: PR#514 from Falco repository

v1.0.4

Minor Changes

Upgrade to Falco 0.17.0
Upgrade rules to Falco 0.17.0

v1.0.3

Minor Changes

Support priorityClassName

v1.0.2

Minor Changes

Upgrade to Falco 0.16.0
Upgrade rules to Falco 0.16.0

v1.0.1

Minor Changes

Extra environment variables passed to daemonset pods

v1.0.0

Major Changes

Add support for K8s audit logging

v0.9.1

Minor Changes

Allow configuration using values for time_format_iso8601 setting
Allow configuration using values for syscall_event_drops setting
Allow configuration using values for http_output setting
Add CHANGELOG entry for v0.8.0, not present on its PR

v0.9.0

Major Changes

Add nestorsalceda as an approver

v0.8.0

Major Changes

Allow configuration of Pod Security Policy. This is needed to get Falco running when the Admission Controller is enabled.

v0.7.10

Minor Changes

Fix bug with Google Cloud Security Command Center and Falco integration

v0.7.9

Minor Changes

Upgrade to Falco 0.15.3
Upgrade rules to Falco 0.15.3

v0.7.8

Minor Changes

Add TZ parameter for time correlation in Falco logs

v0.7.7

Minor Changes

Upgrade to Falco 0.15.1
Upgrade rules to Falco 0.15.1

v0.7.6

Major Changes

Allow to enable/disable usage of the docker socket
Configurable docker socket path
CRI support, configurable CRI socket
Allow to enable/disable usage of the CRI socket

v0.7.5

Minor Changes

Upgrade to Falco 0.15.0
Upgrade rules to Falco 0.15.0

v0.7.4

Minor Changes

Use the KUBERNETES_SERVICE_HOST environment variable to connect to Kubernetes API instead of using a fixed name

v0.7.3

Minor Changes

Remove the toJson pipeline when storing Google Credentials. It makes strange stuff with double quotes and does not allow to use base64 encoded credentials

v0.7.2

Minor Changes

Fix typos in README.md

v0.7.1

Minor Changes

Add Google Pub/Sub Output integration

v0.7.0

Major Changes

Disable eBPF by default on Falco. We activated eBPF by default to make the CI pass, but now we found a better method to make the CI pass without bothering our users.

v0.6.0

Major Changes

Upgrade to Falco 0.14.0
Upgrade rules to Falco 0.14.0
Enable eBPF by default on Falco
Allow to download Falco images from different registries than docker.io
Use rollingUpdate strategy by default
Provide sane defauls for falco resource management

v0.5.6

Minor Changes

Allow extra container args

v0.5.5

Minor Changes

Update correct slack example

v0.5.4

Minor Changes

Using Falco version 0.13.0 instead of latest.

v0.5.3

Minor Changes

Update falco_rules.yaml file to use the same rules that Falco 0.13.0

v0.5.2

Minor Changes

Falco was accepted as a CNCF project. Fix references and download image from falcosecurity organization.

v0.5.1

Minor Changes

Allow falco to resolve cluster hostnames when running with ebpf.hostNetwork: true

v0.5.0

Major Changes

Add Amazon SNS Output integration

v0.4.0

Major Changes

Allow Falco to be run with a HTTP proxy server

v0.3.1

Minor Changes

Mount in memory volume for shm. It was used in volumes but was not mounted.

v0.3.0

Major Changes

Add eBPF support for Falco. Falco can now read events via an eBPF program loaded into the kernel instead of the falco-probe kernel module.

Files

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

Change Log

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.2

v4.1.1

v4.1.0

v4.0.0

v3.8.7

v3.8.6

v3.8.5

v3.8.4

v3.8.3

v3.8.2

v3.8.1

v3.8.0

v3.7.1

v3.7.0

v3.6.2

v3.6.1

v3.6.0

v3.5.0

Major Changes

v3.4.1

v3.4.0

v3.3.1

v3.3.0

v3.2.1

v3.2.0

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2