profile
viewpoint
Kris Nova kris-nova Sysdig San Francisco https://twitter.com/krisnova Doing the best I can :)

hjacobs/kubernetes-on-aws-users 109

List of companies/organizations running Kubernetes on AWS

falcosecurity/falcoctl 36

Administrative tooling for Falco.

falcosecurity/falco-kubernetes-workshop 17

A lightweight workshop build on the shoulders of giants.

freebsd-docker/kubernetes-bootstrap 9

Tools to bootstrap kubernetes on FreeBSD

franktheunicorn/predict-pr-comments 7

Predict comments on PRs

devinteske/figput 3

Configuration Putter

kris-nova/apiserver-builder 1

apiserver-builder implements libraries and tools to quickly and easily build Kubernetes apiservers to support custom resource types

kris-nova/audacity 1

Audio Editor : : : : developer list at : : https://lists.sourceforge.net/lists/listinfo/audacity-devel

kris-nova/azkabin 1

Magical executables for working with Azure

issue commentfalcosecurity/falco

Falco on GKE - dropped syscall events

So following up here.

Let's look at

				else if (string(long_options[long_index].name) == "disable-cri-async")
				{
				  cri_async = false;

The logic here is a double-negative and can be a bit confusing.


If you would like to optimize for performance at the risk of dropping a syscall (note: a dropped syscall does not necessarily mean that the system is missing any data).

please leave the system as is.


If you like to **ensure that system calls are not dropped while enriching metadata from the container layer please add the following flag:

--disable-cri-async

I opened a pull request for the helm chart https://github.com/falcosecurity/charts/pull/15/files


Tested on GKE

[nova@nova event-generator]$ k get no
NAME                                  STATUS   ROLES    AGE   VERSION
gke-nova-default-pool-4935e89d-cc6p   Ready    <none>   40h   v1.16.8-gke.15
gke-nova-default-pool-4935e89d-g8td   Ready    <none>   40h   v1.16.8-gke.15
gke-nova-default-pool-4935e89d-k6jq   Ready    <none>   40h   v1.16.8-gke.15
[nova@nova event-generator]$ k get po -l app=falco
NAME          READY   STATUS    RESTARTS   AGE
falco-46pp7   1/1     Running   0          19m
falco-7sl8r   1/1     Running   0          19m
falco-dzgpj   1/1     Running   0          19m
[nova@nova event-generator]$ k logs -l app=falco | grep -i "drop"
[nova@nova event-generator]$ 

Please share your findings and I will keep an eye on my pod logs while running as many work-intensive loads as I can throw at this thing.

caquino

comment created time in 2 days

PR opened falcosecurity/charts

Update daemonset.yaml
+1 -0

0 comment

1 changed file

pr created time in 2 days

create barnchfalcosecurity/charts

branch : kris-nova-patch-2

created branch time in 2 days

startedOpenELEC/dvb-firmware

started time in 2 days

issue commentfalcosecurity/falco

Falco on GKE - dropped syscall events

After the pods were successfully running without any drops in the logs for ~60 minutes I decided to try to run a small workload.

[nova@nova event-generator]$ k run events --image  krisnova/falco-event-generator:latest
pod/events created
[nova@nova event-generator]$ k get po
NAME          READY   STATUS              RESTARTS   AGE
events        0/1     ContainerCreating   0          2s
falco-7kkpk   1/1     Running             0          57m
falco-9ndjk   1/1     Running             0          57m
falco-dkx2c   1/1     Running             0          58m
[nova@nova event-generator]$ k logs -l app=falco
* Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
* eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
* Success: eBPF probe symlinked to /root/.falco/falco-bpf.o
Fri May 22 11:26:59 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Fri May 22 11:26:59 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri May 22 11:27:00 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri May 22 11:27:02 2020: Starting internal webserver, listening on port 8765
11:27:02.275043000: Notice Privileged container started (user=<NA> command=container:8b95e4277435 k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-cc6p container=8b95e4277435 image=gke.gcr.io/kube-proxy-amd64:v1.16.8-gke.15) k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-cc6p container=8b95e4277435
11:27:02.563498000: Notice Privileged container started (user=root command=container:9cc49632aa15 k8s.ns=default k8s.pod=falco-7kkpk container=9cc49632aa15 image=falcosecurity/falco:0.23.0) k8s.ns=default k8s.pod=falco-7kkpk container=9cc49632aa15
12:18:48.157470217: Critical Falco internal: syscall event drop. 1 system calls dropped in last second. (ebpf_enabled=1 n_drops=1 n_drops_buffer=0 n_drops_bug=0 n_drops_pf=1 n_evts=5876)
* Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
* eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
* Success: eBPF probe symlinked to /root/.falco/falco-bpf.o
Fri May 22 11:26:53 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Fri May 22 11:26:53 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri May 22 11:26:54 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri May 22 11:26:56 2020: Starting internal webserver, listening on port 8765
11:26:56.478515000: Notice Privileged container started (user=<NA> command=container:65258398bcf1 k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-k6jq container=65258398bcf1 image=gke.gcr.io/kube-proxy-amd64:v1.16.8-gke.15) k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-k6jq container=65258398bcf1
11:26:56.798178000: Notice Privileged container started (user=root command=container:10a38778b1ee k8s.ns=default k8s.pod=falco-9ndjk container=10a38778b1ee image=falcosecurity/falco:0.23.0) k8s.ns=default k8s.pod=falco-9ndjk container=10a38778b1ee
12:19:00.057431524: Critical Falco internal: syscall event drop. 1 system calls dropped in last second. (ebpf_enabled=1 n_drops=1 n_drops_buffer=0 n_drops_bug=0 n_drops_pf=1 n_evts=4902)
* Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
* eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
* Success: eBPF probe symlinked to /root/.falco/falco-bpf.o
Fri May 22 11:26:53 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Fri May 22 11:26:53 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri May 22 11:26:54 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri May 22 11:26:56 2020: Starting internal webserver, listening on port 8765
11:26:56.121409000: Notice Privileged container started (user=<NA> command=container:4c6e998a6835 k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-g8td container=4c6e998a6835 image=gke.gcr.io/kube-proxy-amd64:v1.16.8-gke.15) k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-g8td container=4c6e998a6835
11:26:56.403484000: Notice Privileged container started (user=<NA> command=container:422045a95533 k8s.ns=default k8s.pod=falco-dkx2c container=422045a95533 image=falcosecurity/falco:0.23.0) k8s.ns=default k8s.pod=falco-dkx2c container=422045a95533
12:18:58.369831574: Critical Falco internal: syscall event drop. 1 system calls dropped in last second. (ebpf_enabled=1 n_drops=1 n_drops_buffer=0 n_drops_bug=0 n_drops_pf=1 n_evts=6256)

I was now able to replicate the bug.


[nova@nova event-generator]$ k run events --image krisnova/falco-event-generator:latest pod/events created [nova@nova event-generator]$ k get po NAME READY STATUS RESTARTS AGE events 0/1 ContainerCreating 0 2s falco-7kkpk 1/1 Running 0 57m falco-9ndjk 1/1 Running 0 57m falco-dkx2c 1/1 Running 0 58m [nova@nova event-generator]$ k logs -l app=falco

  • Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
  • eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Fri May 22 11:26:59 2020: Falco initialized with configuration file /etc/falco/falco.yaml Fri May 22 11:26:59 2020: Loading rules from file /etc/falco/falco_rules.yaml: Fri May 22 11:27:00 2020: Loading rules from file /etc/falco/falco_rules.local.yaml: Fri May 22 11:27:02 2020: Starting internal webserver, listening on port 8765 11:27:02.275043000: Notice Privileged container started (user=<NA> command=container:8b95e4277435 k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-cc6p container=8b95e4277435 image=gke.gcr.io/kube-proxy-amd64:v1.16.8-gke.15) k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-cc6p container=8b95e4277435 11:27:02.563498000: Notice Privileged container started (user=root command=container:9cc49632aa15 k8s.ns=default k8s.pod=falco-7kkpk container=9cc49632aa15 image=falcosecurity/falco:0.23.0) k8s.ns=default k8s.pod=falco-7kkpk container=9cc49632aa15 12:18:48.157470217: Critical Falco internal: syscall event drop. 1 system calls dropped in last second. (ebpf_enabled=1 n_drops=1 n_drops_buffer=0 n_drops_bug=0 n_drops_pf=1 n_evts=5876)
  • Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
  • eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Fri May 22 11:26:53 2020: Falco initialized with configuration file /etc/falco/falco.yaml Fri May 22 11:26:53 2020: Loading rules from file /etc/falco/falco_rules.yaml: Fri May 22 11:26:54 2020: Loading rules from file /etc/falco/falco_rules.local.yaml: Fri May 22 11:26:56 2020: Starting internal webserver, listening on port 8765 11:26:56.478515000: Notice Privileged container started (user=<NA> command=container:65258398bcf1 k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-k6jq container=65258398bcf1 image=gke.gcr.io/kube-proxy-amd64:v1.16.8-gke.15) k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-k6jq container=65258398bcf1 11:26:56.798178000: Notice Privileged container started (user=root command=container:10a38778b1ee k8s.ns=default k8s.pod=falco-9ndjk container=10a38778b1ee image=falcosecurity/falco:0.23.0) k8s.ns=default k8s.pod=falco-9ndjk container=10a38778b1ee 12:19:00.057431524: Critical Falco internal: syscall event drop. 1 system calls dropped in last second. (ebpf_enabled=1 n_drops=1 n_drops_buffer=0 n_drops_bug=0 n_drops_pf=1 n_evts=4902)
  • Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
  • eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Fri May 22 11:26:53 2020: Falco initialized with configuration file /etc/falco/falco.yaml Fri May 22 11:26:53 2020: Loading rules from file /etc/falco/falco_rules.yaml: Fri May 22 11:26:54 2020: Loading rules from file /etc/falco/falco_rules.local.yaml: Fri May 22 11:26:56 2020: Starting internal webserver, listening on port 8765 11:26:56.121409000: Notice Privileged container started (user=<NA> command=container:4c6e998a6835 k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-g8td container=4c6e998a6835 image=gke.gcr.io/kube-proxy-amd64:v1.16.8-gke.15) k8s.ns=kube-system k8s.pod=kube-proxy-gke-nova-default-pool-4935e89d-g8td container=4c6e998a6835 11:26:56.403484000: Notice Privileged container started (user=<NA> command=container:422045a95533 k8s.ns=default k8s.pod=falco-dkx2c container=422045a95533 image=falcosecurity/falco:0.23.0) k8s.ns=default k8s.pod=falco-dkx2c container=422045a95533 12:18:58.369831574: Critical Falco internal: syscall event drop. 1 system calls dropped in last second. (ebpf_enabled=1 n_drops=1 n_drops_buffer=0 n_drops_bug=0 n_drops_pf=1 n_evts=6256)

It looks like the work in https://github.com/falcosecurity/falco/issues/1204 will be able to help us track down the concerns here to mitigate this problem. I am definitely following that thread closely as this seems to be the biggest issue folks are hitting right now. 

Hope this helps
caquino

comment created time in 3 days

issue commentfalcosecurity/event-generator

Command to deploy the event generator in K8s cluster

So what's the command? how can I run this in kubernetes?

leogr

comment created time in 3 days

pull request commentfalcosecurity/falco-website

feat(docs): Update helm chart

Related: https://github.com/helm/charts/pull/22481

kris-nova

comment created time in 3 days

PR opened falcosecurity/falco-website

feat(docs): Update helm chart

Signed-off-by: Kris Nova kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+1 -2

0 comment

1 changed file

pr created time in 3 days

create barnchfalcosecurity/falco-website

branch : third-party-helm

created branch time in 3 days

issue openedfalcosecurity/charts

Update documentation for helm chart

Right now we have a lot of resources with outdated documentation.

Specifically once https://github.com/helm/charts/pull/22481 lands the following will be broken:

  • https://falco.org/blog/minikube-falco-kernel-module/
  • https://falco.org/blog/falco-kind-prometheus-grafana/

created time in 3 days

push eventfalcosecurity/charts

Kris Nova

commit sha 4e074a889edafe99798bf8f2bc375581b6e9a4ee

Bump to container image 0.23.0 Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 3 days

issue commentfalcosecurity/falco

Falco on GKE - dropped syscall events

So with the helm chart being used threw me for a loop.

I opened https://github.com/helm/charts/pull/22481 to remove the falco stable chart in favor of https://github.com/falcosecurity/charts/pull/12 which updates the container image from 0.21.0 to 0.23.0.

This update was required for me to deploy to GKE.

I was getting the following error with 0.21.0

[nova@nova ~]$ k logs falco-xgg9l -f
* Setting up /usr/src links from host
* Mounting debugfs
Found kernel config at /proc/config.gz
* COS detected (build 12371.208.0), using cos kernel headers...
* Downloading https://storage.googleapis.com/cos-tools/12371.208.0/kernel-headers.tgz
* Extracting kernel sources
* Configuring kernel
* Trying to compile BPF probe falco-probe-bpf (falco-probe-bpf-latest-x86_64-4.19.109+-c49f5fbc35a5b76e9ca8d47acc2b1913.o)
make: *** /usr/src/falco-latest/bpf: No such file or directory.  Stop.
mv: cannot stat '/usr/src/falco-latest/bpf/probe.o': No such file or directory
* Trying to download precompiled BPF probe from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-bpf-latest-x86_64-4.19.109%2B-c49f5fbc35a5b76e9ca8d47acc2b1913.o
curl: (22) The requested URL returned error: 404 Not Found
* Failure to find a BPF probe
Fri May 22 11:22:15 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Fri May 22 11:22:15 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri May 22 11:22:16 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri May 22 11:22:16 2020: Unable to load the driver. Exiting.
Fri May 22 11:22:16 2020: Runtime error: can't open BPF probe '/root/.falco/falco-probe-bpf.o': Errno 2. Exiting.```

--- 

After making the change to the DaemonSet for `0.23.0` I have had Falco running with BPF in GKE 


[nova@nova stable]$ k logs -l app=falco -f

  • Extracting kernel sources
  • Configuring kernel
  • Trying to compile the eBPF probe (falco_cos_4.19.109+_1.o)
  • Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
  • eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Fri May 22 11:26:53 2020: Falco initialized with configuration file /etc/falco/falco.yaml Fri May 22 11:26:53 2020: Loading rules from file /etc/falco/falco_rules.yaml: Fri May 22 11:26:54 2020: Loading rules from file /etc/falco/falco_rules.local.yaml: Fri May 22 11:26:56 2020: Starting internal webserver, listening on port 8765
  • Extracting kernel sources
  • Configuring kernel
  • Trying to compile the eBPF probe (falco_cos_4.19.109+_1.o)
  • Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
  • eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Fri May 22 11:26:59 2020: Falco initialized with configuration file /etc/falco/falco.yaml Fri May 22 11:26:59 2020: Loading rules from file /etc/falco/falco_rules.yaml: Fri May 22 11:27:00 2020: Loading rules from file /etc/falco/falco_rules.local.yaml: Fri May 22 11:27:02 2020: Starting internal webserver, listening on port 8765
  • Extracting kernel sources
  • Configuring kernel
  • Trying to compile the eBPF probe (falco_cos_4.19.109+_1.o)
  • Skipping download, eBPF probe is already present in /root/.falco/falco_cos_4.19.109+_1.o
  • eBPF probe located in /root/.falco/falco_cos_4.19.109+_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Fri May 22 11:26:53 2020: Falco initialized with configuration file /etc/falco/falco.yaml Fri May 22 11:26:53 2020: Loading rules from file /etc/falco/falco_rules.yaml: Fri May 22 11:26:54 2020: Loading rules from file /etc/falco/falco_rules.local.yaml: Fri May 22 11:26:56 2020: Starting internal webserver, listening on port 8765 ^C [nova@nova stable]$ k get po NAME READY STATUS RESTARTS AGE falco-7kkpk 1/1 Running 0 18m falco-9ndjk 1/1 Running 0 18m falco-dkx2c 1/1 Running 0 19m [nova@nova stable]$ k get no NAME STATUS ROLES AGE VERSION gke-nova-default-pool-4935e89d-cc6p Ready <none> 24m v1.16.8-gke.15 gke-nova-default-pool-4935e89d-g8td Ready <none> 24m v1.16.8-gke.15 gke-nova-default-pool-4935e89d-k6jq Ready <none> 24m v1.16.8-gke.15 [nova@nova stable]$ k get ds -oyaml | grep "image:" image: docker.io/falcosecurity/falco:0.23.0

Granted my pods have only been up for ~19 minutes. I will keep an eye on them over the next few weeks and will report any occurrences of 

```Falco internal: syscall event drop```

in the hopes that sharing replication steps can help us fix this. This is a top priority. 
caquino

comment created time in 3 days

PR opened helm/charts

feat(migrate): Remove Falco Stable Chart

The Falco community has decided to adopt the chart and has migrated the code and it's history here.

So long, and thanks for all the fish.

Signed-off-by: Kris Nova kris@nivenly.com

<!-- Thank you for contributing to helm/charts. Before you submit this PR we'd like to make sure you are aware of our technical requirements and best practices:

  • https://github.com/helm/charts/blob/master/CONTRIBUTING.md#technical-requirements
  • https://github.com/helm/helm/tree/master/docs/chart_best_practices

For a quick overview across what we will look at reviewing your PR, please read our review guidelines:

  • https://github.com/helm/charts/blob/master/REVIEW_GUIDELINES.md

Following our best practices right from the start will accelerate the review process and help get your PR merged quicker.

When updates to your PR are requested, please add new commits and do not squash the history. This will make it easier to identify new changes. The PR will be squashed anyways when it is merged. Thanks.

For fast feedback, please @-mention maintainers that are listed in the Chart.yaml file.

Please make sure you test your changes before you push them. Once pushed, a CircleCI will run across your changes and do some initial checks and linting. These checks run very quickly. Please check the results. We would like these checks to pass before we even continue reviewing your changes. -->

Is this a new chart

NOTE: We're experiencing a high volume of PRs to this repo and reviews will be delayed. Please host your own chart repository and submit your repository to the Helm Hub instead of this repo to make them discoverable to the community. Here is how to submit new chart repositories to the Helm Hub.

What this PR does / why we need it:

Which issue this PR fixes

(optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged)

  • fixes #

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • [ ] DCO signed
  • [ ] Chart Version bumped
  • [ ] Variables are documented in the README.md
  • [ ] Title of the PR starts with chart name (e.g. [stable/mychartname])
+0 -5121

0 comment

25 changed files

pr created time in 3 days

create barnchkris-nova/charts

branch : remove-falco

created branch time in 3 days

fork kris-nova/charts

Curated applications for Kubernetes

fork in 3 days

PR opened falcosecurity/charts

Bump to container image 0.23.0
+1 -1

0 comment

1 changed file

pr created time in 3 days

create barnchfalcosecurity/charts

branch : kris-nova-patch-1

created branch time in 3 days

pull request commentkubernetes/community

feat(communication/slack-config): adding slack channels for Falco

Can we please set up a call with the kubernetes slack admins? After speaking with folks at the CNCF I just want us all to sync so we understand what is going on and nobody is left out.

leodido

comment created time in 4 days

issue closedfalcosecurity/falco

Cutover to CNCF Slack

Motivation

In an effort to improve vendor independence can we please start using the CNCF slack as our official source of truth for Slack?

<!-- Is your feature request related to a problem? Please describe what the problem is clearly and concisely. Eg., I'm always frustrated when ... -->

Feature

We can use the following slack feature to begin the migration so that no disruption is caused to our existing slack: https://slack.com/resources/slack-for-admins/shared-channels-in-slack

<!-- Describe the solution you would like. A clear and concise description of what you want to happen. -->

Alternatives

One alternative would be to do a cold-cutover (maybe over the holiday?) to make this as seamless as possible.

<!-- Describe alternatives you have considered, if any. A clear and concise description of any alternative solutions or features you have considered. -->

Additional context

We will be discussing this during the OSS call today: https://github.com/falcosecurity/community/issues/64

<!-- Add any other context or screenshots about the feature request here. -->

closed time in 4 days

kris-nova

issue commentfalcosecurity/falco

Cutover to CNCF Slack

What blanks are you missing?

Following this thread above :point_up: there was a strong encouragement to move to a slack under "the CNCF umbrella". @caniszczyk let us know that there would not be funding available in the case a newly created slack wanted to move from the free version to enterprise.

This left the Falco community with 3 options.

  • Migrate to our newly created workspace https://falcosecurity.slack.com/#/ (0 users)
  • Migrate the CNCF slack workspace https://slack.cncf.io/ (16k users)
  • Migrate to the Kubernetes workspace https://slack.k8s.io/ (100k users)

We picked slack.k8s.io.


The decision was made on our weekly call


Ultimately there a few things I would like to remind everyone of.

  1. This was a disruption and a nuisance to the Falco end-users, as well as the maintainers. We did this out of good faith and chose the path that we felt would be the best for everyone. Slack exists as a convenience tool so that a community can thrive. We were (and still are) happy to hand over root access to slack.sysdig.com. This transition was driven by the CNCF for reasons I don't completely understand.

  2. Conversations will always happen in places we can not control. Part of being a good manager and a healthy leader is sharing context, not control. We will never be able to completely control the conversation and where they happen. There is a reason that there are falco channels in the following places.

  • slack.k8s.io
  • slack.sysdig.com
  • slack.cncf.io
  • github.com/falcosecurity
  • freenode channel #falco
  • reddit
  • etc

We see this same pattern with Kubernetes.

  1. We are here to share and build healthy software. The Falco community was forced with a difficult decision for reasons our community did not understand, and given the constraints of the decision we picked one of our 3 options. So far the community seems to welcome and embrace the change in a warm way.

I think the fact that the community is welcoming this change in a warm way, and that the constraints defined above were met -- is a sign of success.

  • If you do not agree with this decision.
  • If you do not like this decision.
  • If you do not understand this decision.

We would love to see you on one of our weekly calls or in the mailing list where we are happy to discuss other avenues and disrupt our community yet again if you are interested in driving this change.

kris-nova

comment created time in 4 days

CommitCommentEvent

push eventkris-nova/SYN-spoof

Sebastiaan van Stijn

commit sha 2f5ce452e5bd981afe2379882be67079297a6128

From twitter, with love Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Kris Nova

commit sha 7bc5b277b9e79618f5abe0cf19bf006ed3697f9a

Merge pull request #1 from thaJeztah/this_branch_should_have_no_name From twitter, with love

view details

push time in 5 days

CommitCommentEvent

pull request commentfalcosecurity/.github

update: slack URL

/approve

leodido

comment created time in 5 days

push eventsetns/live

jlee-sysdig

commit sha b5e4ca5316ab1236866287f5b03ac8c25e8787b2

Folder for website source files

view details

jlee-sysdig

commit sha 44557b17d4310445cf2738494b03461c5c2ab3d9

Add files and folders for setns.live

view details

jlee-sysdig

commit sha 45a54253005a31caf4c30a7915345b62ebbeb503

Update calendar to use Nova's google calendar

view details

Kris Nova

commit sha b5de6321a594afeab4146febdacb8ffa22c6b199

Merge pull request #9 from jlee-sysdig/add-www-folder-for-website-source-files Add www folder for website source files

view details

push time in 5 days

issue commentfalcosecurity/falco

Cutover to CNCF Slack

Following up on the weekly call that just happened.

The community seems to agree that we would like to move to the Kubernetes slack officially.

Some links and resources to share the good news:


The next steps

  • [ ] Announce in the existing falco slack
  • [ ] Set the existing slack to read-only and point to Kubernetes
  • [ ] Announce on the mailing list
  • [ ] Begin using the Kubernetes slack
  • [ ] Send the Falco maintainers wine and cheese to say thank you for their hard work
kris-nova

comment created time in 5 days

issue commentfalcosecurity/falco-website

Manual data entry for falco front end user reports

Grzegorz Nosek:spiral_calendar_pad: 1 hour ago the icons could use some spacing before the text (and maybe consistent width?) other than that, :star-struck: image.png image.png

davide 1 hour ago nice! 15-sec viewer comments:

  1. the top 3 boxes look clickable (I tried clicking the box and the title, couldn’t believe they were not sending me somewhere else)
  2. icon-text spacing is a little too narrow, I’d give it few more pixels of air. Same goes for within logos as well
  3. The first title is centered, the second is left-aligned. That seems a little off as well.

davide 41 minutes ago Also, the initial spinner was kinda unexpected… you’d never really expect a “loading” step for a simple “marketing” web page like this. I’ve never seen spinners for anything besides proper web applications. Nice, just unexpected and potentially hiding bigger tech problems under the carpet.

kris-nova

comment created time in 5 days

issue openedfalcosecurity/falco-website

Manual data entry for falco front end user reports

1t 44 minutes ago That looks real nice. i noticed what looks like a bug to me though. when i scroll down (in chrome) after freshly loading the page, the three boxes flicker for me. QuickTime Movie falcoorg-bug.mov 1 MB QuickTime Movie— Click to download

capitangolo 38 minutes ago I find the spacing in the logos section weird. Logos are too big or too smashed together. Looks like there is too much spacing after the section titles. Some logos have white background, looks weird: League, Preferral, Logz.io, shujnko, grafana, Red Hat, StatsD Some logos are cut by the borders: Kubernetes, OPA, Prometheus, Azure / CNCF at the bottom. PD: Looks great! (edited) Screen Shot 2020-05-20 at 17.32.01.png Screen Shot 2020-05-20 at 17.32.01.png

ck:spiral_calendar_pad: 20 minutes ago The CNCF logo also gets that corner cutting look - image.png image.png

Janet:house_with_garden: 20 minutes ago I like the reference to originally created by Sysdig. However, it is a bit large compared with the other elements. From a design standpoint we may be able to improve the visual appeal, particularly on the top half of the page. (edited)

ck:spiral_calendar_pad: 19 minutes ago Also I didn't get a GDPR style cookie check.

ck:spiral_calendar_pad: 19 minutes ago But I love it! Looks really slick and professional. Awesome work!

ck:spiral_calendar_pad: 10 minutes ago I also love how clean it looks on mobile too, great job!

benedetto:flag-lu: 5 minutes ago the nav line at the top changes when going into doc - it would be nice if it was the same (edited)

created time in 5 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha b1e059be189386bac5cca10862d629f0775d698f

feat(docs): Adding language to Assert bullet Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha a21036a6bd0ec29373a72fdca5f552e156c27423

feat(docs): Fixing typo Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

issue commentfalcosecurity/falco

Falco Binary Downloads Improvements

This is coming along nicely with the recent changes.

Thanks for your help @leogr

Is binary still the best name for this?

kris-nova

comment created time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha 67d92ec95a5bd3b6818a3d7bc0380fb58cbd2526

feat(docs): Matching styles for logo headings Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha 537c42e4448ee42e1c4e1eea55c67fdfeb13b72a

feat(docs): Fixing slogan to match branding guidelines Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha 118a6c823dbddf89589e2cd9c60b5d20c47986f4

feat(docs): Alphabatize rancher Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha c069999c891d59afec8e8dd9d6cf7cfc1fc31a83

feat(docs): Adding "original created by" Sysdig Looks like Envoy is doing this, and the CNCF guidelines mention using the language "Originally Created By" Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha 409cd4714e780fdd401085f8e4fe2b9354ff2008

feat(docs): Adding Rancher logo https://rancher.com/blog/2020/runtime-security-with-falco/ https://rancher.com/events/kubernetes-master-class/2020-04-20-kubernetes-master-class-detecting-anomalous-activity-in-rancher-with-falco/ https://rancher.com/blog/2020/pod-security-policies-part-2/ https://rancher.com/blog/2020/fleet-management-kubernetes/ Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha 31e04d1f10a1f5e9f777e48814b42e8af749f018

feat(docs): Fixing build This breaks the existing translation work - but we can reach out to the contributors to find out what the new translations should be. Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha 89ccda5cfd0836cb93e95f595b2d76a8e11dfd1f

feat(docs): Updating readme with logo contribution guide Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

pull request commentfalcosecurity/falco-website

feat(docs): Updating CSS for logos

closes https://github.com/falcosecurity/falco/issues/983

kris-nova

comment created time in 6 days

pull request commentfalcosecurity/falco-website

feat(docs): Updating CSS for logos

/unhold

This is ready to go!

kris-nova

comment created time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha bc89024803ef78f68aa8675e95b7bb288943f5f0

feat(docs): Switch to Kubernetes slack Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha b8ea62b4da505e16f3507df7b7e0a40415524515

feat(docs): Finalize major facelift of falco.org Note we still need to clean up a lot of the code, but the site looks great! Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 6 days

fork kris-nova/foundation

☁️♮🏛File non-technical issues related to CNCF

https://cncf.io

fork in 6 days

issue commentfalcosecurity/falco

Cutover to CNCF Slack

Yeah this looks good - We are announcing the changes this week and will have updates to the website and github repositories to work in concert with them as they go live

We should see a warm cutover before next week's community call next wednesday, and a deprecation model put in place before permanently archiving our current slack

I will post updates here as they happen, and will not close the issue until we are completely cutover


thanks for being patient with us :)

kris-nova

comment created time in 6 days

Pull request review commentawsdocs/amazon-ecs-developer-guide

[WIP] feat(docs): Add Falco and Fargate with ECS documentation

+# Securing Fargate Tasks with Falco Runtime Security++ECS Fargate `1.4.0` [announced support](https://aws.amazon.com/about-aws/whats-new/2020/04/aws-fargate-launches-platform-version-14/) for the `CAP_SYS_PTRACE` linux capability.++This new feature can be implemented with [Falco](falco.org), an open source runtime security project originally built by Sysdig, Inc and later donated to the Cloud Native Computing Foundation.++Falco uses `ptrace(2)` with Fargate in ECS to detect anomalous behavior at runtime. ++Falco can be configured to send alerts to STDOUT such that ECS can consume the logs. They can then be used to trigger alerts and alarms using AWS logging solutions such as CloudWatch. ++## Dependencies++In order to begin securing a task in ECS a few components need to be installed within the container.++ - Falco userspace daemon+ - Falco pdig tracing utility+ +After these components are installed in the container, Falco can be used in the following ways.++ - Launch an arbitrary process, and begin tracing the original process and all of it's child processes. + - Attach to a running process, and begin tracing the process and all of it's child processes. + +In order for the Falco `pdig` utility to work, the `CAP_SYS_PTRACE` capability must be enabled in a task definition for a Fargate 1.4 or greater ECS Cluster. ++Add the following section to the container JSON you wish to secure while creating the task definition. ++```json+            "linuxParameters": {+                "capabilities": {+                    "add": [+                        "SYS_PTRACE"+                    ],+                    "drop": null+                }+            },+```++## Installing Falco++_Note:_ The Falco `pdig` components are targetted to be released in an upcoming Falco release. This documentation will need to be updated after the initial release.++For now you can use the `krisnova/falco-trace:latest` container image which is built on debian and contains Falco and `pdig` pre-installed. +The original work to get this working can be found at [github.com/kris-nova/falco-trace](https://github.com/kris-nova/falcotrace).++Follow the official [Falco installation](https://falco.org) guide for installing Falco with `pdig`. ++Validate that Falco can be ran within the container++```bash +falco -u ++Sun May 17 13:06:53 2020: Falco initialized with configuration file /etc/falco/falco.yaml+Sun May 17 13:06:53 2020: Loading rules from file /etc/falco/rules.d/application_rules.yaml:+Sun May 17 13:06:53 2020: Loading rules from file /etc/falco/rules.d/falco_rules.local.yaml:+Sun May 17 13:06:53 2020: Loading rules from file /etc/falco/rules.d/falco_rules.yaml:+^CSun May 17 13:06:59 2020: SIGINT received, exiting...+Events detected: 0+Rule counts by severity:+Triggered rules by rule name:+Syscall event drop monitoring:+   - event drop detected: 0 occurrences+   - num times actions taken: 0+```++## Running a process with pdig++The above installation should also include a `ptrace(2)` based launcher utility called `pdig`.++The `pdig` utility can either be used to launch a process or attach to a running process. ++Here are some examples of using `pdig` to launch a process.++Running a daemon with `pdig`++```bash+pdig -a ./app --daemon+```++Running a program in the background, and attaching to the pid at runtime++```bash+./app --pidfile=/var/run/app &+pdig -p $(cat /var/run/app)+```++Attach to pid 1 with `pdig`. This will trace all pids in the container.++```bash+pdig -p 1 && ./myapp &+```++## Logs++In order to consume the Falco logs in ECS the Falco logs must go to STDOUT. ++This can be done a number of ways. One option is to tail the falco log file.++First configure falco to log to a file. One example is [here](https://github.com/kris-nova/falco-trace/blob/master/etc/falco/falco.yaml) or you can edit the file manually.++```bash+emacs /etc/falco/falco.yaml++# Edit the following++file_output:+  enabled: true+  keep_alive: false+  filename: /var/log/falco.log+```++After Falco is logging to a file you can run your application.++```bash+pdig -a ./myapp &+falco -u --daemon +tail -f /var/log/faclo.log &+```++The logs will now be picked up by ECR and can be used with other AWS services. 

Hey everyone -

I don't think the logs will be picked up by ECR... this must be a typo...

Yes. This is a typo :smiley_cat: will fix.

Should probably add that you can use FireLens to send the stdout logs somewhere

I don't know what FireLens is, so I don't really understand the expectation we want to capture here? Can you suggest something to add to the PR?


Regarding stdout_output.enabled: true

That is already baked into the container image I used in the demo and for this writeup.

I had to tail the logs to effectively break the interactive mode (or at least annoy anyone with a TTY) to get the logs to show up.

I don't know very much about logging in AWS so any help or guidance would be appreciated.

kris-nova

comment created time in 7 days

push eventkris-nova/amazon-ecs-developer-guide

Kris Nova

commit sha 0c1ca393d23390edc16edecf6fc50f7458e8f201

Update doc_source/falco-fargate-ptrace-security.md Co-authored-by: Leo Di Donato <leodidonato@gmail.com>

view details

push time in 7 days

push eventkris-nova/amazon-ecs-developer-guide

Kris Nova

commit sha 32c4e752f3ad833618c7ae0c3244dba911604022

Update doc_source/falco-fargate-ptrace-security.md Co-authored-by: Leo Di Donato <leodidonato@gmail.com>

view details

push time in 7 days

push eventkris-nova/amazon-ecs-developer-guide

Kris Nova

commit sha a80f6548c93e611d4ded53e29c6d9af4261cd893

Update doc_source/falco-fargate-ptrace-security.md Co-authored-by: Leo Di Donato <leodidonato@gmail.com>

view details

push time in 7 days

Pull request review commentawsdocs/amazon-ecs-developer-guide

[WIP] feat(docs): Add Falco and Fargate with ECS documentation

+# Securing Fargate Tasks with Falco Runtime Security++ECS Fargate `1.4.0` [announced support](https://aws.amazon.com/about-aws/whats-new/2020/04/aws-fargate-launches-platform-version-14/) for the `CAP_SYS_PTRACE` linux capability.++This new feature can be implemented with [Falco](falco.org), an open source runtime security project originally built by Sysdig, Inc and later donated to the Cloud Native Computing Foundation.++Falco uses `ptrace(2)` with Fargate in ECS to detect anomalous behavior at runtime. ++Falco can be configured to send alerts to STDOUT such that ECS can consume the logs. They can then be used to trigger alerts and alarms using AWS logging solutions such as CloudWatch. ++## Dependencies++In order to begin securing a task in ECS a few components need to be installed within the container.++ - Falco userspace daemon+ - Falco pdig tracing utility+ +After these components are installed in the container, Falco can be used in the following ways.++ - Launch an arbitrary process, and begin tracing the original process and all of it's child processes. + - Attach to a running process, and begin tracing the process and all of it's child processes. 

PS: Thank you for the typo suggestion - will accept once we figure out the threading things :heart:

kris-nova

comment created time in 7 days

Pull request review commentawsdocs/amazon-ecs-developer-guide

[WIP] feat(docs): Add Falco and Fargate with ECS documentation

+# Securing Fargate Tasks with Falco Runtime Security++ECS Fargate `1.4.0` [announced support](https://aws.amazon.com/about-aws/whats-new/2020/04/aws-fargate-launches-platform-version-14/) for the `CAP_SYS_PTRACE` linux capability.++This new feature can be implemented with [Falco](falco.org), an open source runtime security project originally built by Sysdig, Inc and later donated to the Cloud Native Computing Foundation.++Falco uses `ptrace(2)` with Fargate in ECS to detect anomalous behavior at runtime. ++Falco can be configured to send alerts to STDOUT such that ECS can consume the logs. They can then be used to trigger alerts and alarms using AWS logging solutions such as CloudWatch. ++## Dependencies++In order to begin securing a task in ECS a few components need to be installed within the container.++ - Falco userspace daemon+ - Falco pdig tracing utility+ +After these components are installed in the container, Falco can be used in the following ways.++ - Launch an arbitrary process, and begin tracing the original process and all of it's child processes. + - Attach to a running process, and begin tracing the process and all of it's child processes. 

Can we open a feature for this in the Falco pdig repository? Can you also suggest some language that would be more appropriate here?

kris-nova

comment created time in 7 days

push eventkris-nova/amazon-ecs-developer-guide

Kris Nova

commit sha 1db09947da63b5415a82bf63ecc3d998d50874d7

Update doc_source/falco-fargate-ptrace-security.md Co-authored-by: Grzegorz Nosek <github@localdomain.pl>

view details

push time in 7 days

push eventfalcosecurity/falco-website

Kris Nova

commit sha 9d60fa807da595449a30e6fa7d4dcef8ba4c862b

feat(html): Cleaning up and simplifying the website. Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 7 days

pull request commentfalcosecurity/falco-website

feat(docs): Updating CSS for logos

/hold

kris-nova

comment created time in 7 days

PR opened falcosecurity/falco-website

feat(docs): Updating CSS for logos

Signed-off-by: Kris Nova kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Updating our logos and adopters on the home page to match adopters.md in the Falco repository.

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

This will render something like:

Screenshot from 2020-05-18 16-30-53

+234 -272

0 comment

57 changed files

pr created time in 7 days

create barnchfalcosecurity/falco-website

branch : logo-update

created branch time in 7 days

PR opened falcosecurity/falco-website

feat(docs): Updating install info

Updating language in install notice to be more user friendly

Signed-off-by: Kris Nova kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+5 -4

0 comment

1 changed file

pr created time in 7 days

create barnchfalcosecurity/falco-website

branch : adjust-install-info

created branch time in 7 days

PR closed falcosecurity/falco-website

Adjust info

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+77 -161

0 comment

5 changed files

kris-nova

pr closed time in 7 days

PR opened falcosecurity/falco-website

Adjust info

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+77 -161

0 comment

5 changed files

pr created time in 7 days

create barnchfalcosecurity/falco-website

branch : adjust-info

created branch time in 7 days

pull request commentkris-nova/knobs

Add inital CRD generation setup

yeah that would be great @hasheddan

hasheddan

comment created time in 7 days

pull request commentdraios/sysdig

udig support

It needs to be rebased?

ldegio

comment created time in 7 days

issue openedfalcosecurity/charts

Declare support for helm charts

Motivation

Following up on https://falco.org/blog/falco-scope/

Can we please document the support path for these charts? Where do users go for help?

<!-- Is your feature request related to a problem? Please describe what the problem is clearly and concisely. Eg., I'm always frustrated when ... -->

Feature

Can we create a clear document somewhere that describes responsibility of each chart, and where to go for help and support?

<!-- Describe the solution you would like. A clear and concise description of what you want to happen. -->

Alternatives

<!-- Describe alternatives you have considered, if any. A clear and concise description of any alternative solutions or features you have considered. -->

Additional context

<!-- Add any other context or screenshots about the feature request here. -->

created time in 7 days

issue openedfalcosecurity/charts

Update OWNERS

Motivation

Following up on https://github.com/falcosecurity/contrib/issues/12

We need to review and update the OWNERS file.

More importantly - we need to identify new owners for these charts.

<!-- Is your feature request related to a problem? Please describe what the problem is clearly and concisely. Eg., I'm always frustrated when ... -->

Feature

Calling all maintainers. If you are interested in maintaining or contributing to the chart please follow up below.

I would also like to volunteer myself as a maintainer to help with ensuring features and support are not missed.

<!-- Describe the solution you would like. A clear and concise description of what you want to happen. -->

Alternatives

<!-- Describe alternatives you have considered, if any. A clear and concise description of any alternative solutions or features you have considered. -->

Additional context

<!-- Add any other context or screenshots about the feature request here. -->

created time in 7 days

issue commentfalcosecurity/contrib

Adopt helm charts

Thanks for all your hard work @nestorsalceda!

We have preserved your original work and the community will always be here if you want to come back and say hello.


The Falco helm charts repository has been created github.com/falsosecurity/charts.

Welcome to the Falco project

kris-nova

comment created time in 7 days

issue closedfalcosecurity/contrib

Adopt helm charts

Motivation

Following the discussion on the call today. There was talk of moving the existing helm chart to the contrib status in The Falco Project.

We need a few things to make this happen.

  • We should revist the OWNERS file and append with someone who can maintain and support the helm chart
  • We should compose the helm chart in such a way that we can have multiple charts for various use cases.
  • We should warn and be very clear about which charts use known attack vectors in Kubernetes (privileged=true)
.
├── falco-bpf-gke
│   └── helm.yaml
├── falco-grpc
│   └── helm.yaml
├── falco-module
│   ├── helm.yaml
│   └── PRIVILIGED-WARNING.txt
├── falco-operator
├── falco-prometheus-full
│   └── helm.yaml
└── falco-systemd
    └── helm.yaml

<!-- Is your feature request related to a problem? Please describe what the problem is clearly and concisely. Eg., I'm always frustrated when ... -->

Feature

<!-- Describe the solution you would like. A clear and concise description of what you want to happen. -->

Alternatives

<!-- Describe alternatives you have considered, if any. A clear and concise description of any alternative solutions or features you have considered. -->

Additional context

<!-- Add any other context or screenshots about the feature request here. -->

closed time in 7 days

kris-nova

issue openedfalcosecurity/charts

Secure Helm Chart

Motivation

Following this discussion we have been able to identify a number of security holes in the current helm chart.

This issue aims to define the constraints of building a secure-by-default Helm chart for Falco.

<!-- Is your feature request related to a problem? Please describe what the problem is clearly and concisely. Eg., I'm always frustrated when ... -->

Feature

As a Kubernetes user I would like to be able to type

helm install falco <args>

such that a complete Falco installation is deployed to my cluster and is running as an unprivileged daemonset.

This chart should be to the default chart as hardened is to the Linux kernel.

Constraints:

  • The daemonset pods are have securitycontext.privileged=false
  • No access to the host network
  • No access to the host PID namespace
  • No access to any of the host namespaces while we are at it. Get rid of them all.

The daemonset pods should be a lightweight program (probably written in Go) that read events from the Falco Unix Socket here.

The host

There should be two options for installing the Falco components on the host. A privileged and less secure option that runs the installation in an init container, or an opt-out option that simply assumes this is already managed at the host level.

Kubernetes should NOT be watching/scheduling Falco. Falco should be scheduled with Systemd so that it will continue to run even if Kubernetes is compromised.

The only components running inside of Kubernetes will be lightweight pods that consume the falco events and can potentially forward these events around the cluster.

<!-- Describe the solution you would like. A clear and concise description of what you want to happen. -->

Alternatives

<!-- Describe alternatives you have considered, if any. A clear and concise description of any alternative solutions or features you have considered. -->

Additional context

<!-- Add any other context or screenshots about the feature request here. -->

created time in 7 days

push eventfalcosecurity/charts

Néstor Salceda

commit sha b1c50099eadb8c52eaad3626df827d6a7e63718e

[stable/falco] Add Falco chart (#5853) * [stable/falco] Add Falco chart * Fix indentation and other stuff reported by CI * Add appVersion to Chart.yaml * Specify container resources * Allow to load external Falco rules * Move GCSCC integrations to a top level integrations section We can correlate falco.* keys for falco related settings, and refer them in Falco Wiki * Rename deployment to fakeEventGenerator First one is too generic * Add OWNERS file * Separate rbac and serviceAccount Follow RBAC best practices: https://github.com/kubernetes/helm/blob/master/docs/chart_best_practices/rbac.md * Use falco.serviceAccount name template for cluster role binding * Fixes required from reviewer * Allow passing rules in an external file instead of editing configMap by hand * Remove quotes from Chart version I'm not sure if this break lint stage in CircleCI * Update Chart.yaml

view details

AdamDang

commit sha 53cb7accf3c0c5dfd139fc615611b72c8624fee7

[stable/falco] Fix some small typos (#6455) * [stable/falco] Fix some small typos Fix some small typos * Add version 0.1.1 Add version 0.1.1

view details

Néstor Salceda

commit sha 8acbdbb8219e88f274775d0a53ca094e5545d580

[stable/falco] Add Falco NATS output integration (#6600) * Update value of bufferedOutputs in configmap documentation * Add NATS output integration for Sysdig Falco * Add a change log

view details

Néstor Salceda

commit sha aa4f17c837f2741d6fcbd23b88a77cdba1e1faa3

Update falco_rules.yaml file to use same rules that Falco 0.11.1 (#7059)

view details

Néstor Salceda

commit sha e19e9d1bea59bbdd356e39f00766e00b72302cb3

[stable/falco] Enable eBPF support for Sysdig Falco helm chart (#7191) * Add eBPF support for Falco in Helm Chart * Add a more fine grained settings for eBPF stuff

view details

Néstor Salceda

commit sha 42a3029495f85d6cb4713bf66205bdb88a928bad

Make use of shm. It was present in volume but was not mounted. (#7634) Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

Carlos Tadeu Panato Junior

commit sha a2d4f9f5fa38edcfd468914c253e4fd8ff797635

add ability to set proxy server to the daemon set (#7659) Signed-off-by: cpanato <ctadeu@gmail.com>

view details

Néstor Salceda

commit sha 6afdbca3065ee276b769534658109730e22b8834

[stable/falco] Add Amazon SNS integration (#7957) * Add Amazon SNS integration This allows Falco to publish alerts to a SNS topic Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Fix build and add entry to the CHANGELOG Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

Diego Lendoiro

commit sha 07569bdce5fdf642efd4be7bca81aeba80246330

Resolve cluster hostnames when using hostnetwork (#8274) Signed-off-by: Diego Lendoiro <diego.lendoiro@gmail.com>

view details

Néstor Salceda

commit sha bd86d8a66bc15bedb84d3ec138764f712c341e4a

Download container images from falcosecurity organization (#8560) Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

Néstor Salceda

commit sha 47ba43144b374ca184cd2e27569b34c2e0942cc4

Update Rules to match Falco version 0.13.0 rules (#9225) Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

Carlos Tadeu Panato Junior

commit sha 5060c55cf59ead4f0b9642e09d6b6b65b3db7749

[stable/falco] use version 0.13.0 instead of latest (#9932) * use version 0.13.0 instead of latest Signed-off-by: cpanato <ctadeu@gmail.com> * udpate changelog Signed-off-by: cpanato <ctadeu@gmail.com>

view details

Beruben Daniel

commit sha e5c2915cee99b2a1cbd9b1bd11d1a9572315f32a

Update exemple (#10104) * update correct exemple Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * bump chart version Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * update CHANGELOG Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * update space Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> :q! * remove space Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> :x * space Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> :x

view details

Cameron Attard

commit sha 7c1a6ec8532014cd0db3d333392bd0581232daad

[stable/falco] add extraArgs (#9738) Signed-off-by: Cameron Attard <cameron.attard@siteminder.com>

view details

Néstor Salceda

commit sha a93e7dc44ada319f06019c831a7cfd864cde8a52

[stable/falco] Upgrade to Falco 0.14.0 (#12439) * Upgrade to Falco 0.14.0 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Enable eBPF by default on Falco builds Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Allow to specify images from different registries than `docker.io` Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Upgrade Chart version to a minor one because eBPF default value Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Use RollingUpgrade strategy by default Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Provide a sane defaults for resources Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Update CHANGELOG entries Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Add minor / major categorization to changelog Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

Néstor Salceda

commit sha 85e815a06fe17a7bd8f2b8ea8c9933f5cd05c66c

[stable/falco] Disable ebpf by default (#12762) * Disable ebpf by default This reverts the change made on 0.6.0 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Specify in CHANGELOG that we are reverting the previous change. The vast majority of our users are using the kernel module approach and we can cause some troubles with this change. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Explain WHY we activated the ebpf module by default Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

Fede Barcelona

commit sha fb098ca8570bc2764146a7dc675739ace00a5ca4

[stable/falco] Add GCloud PubSub integration (#12204) * [stable/falco] Add GCloud PubSub integration * Add GCloud PubSub integration This allows Falco to publish alerts to a PubSub topic Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com> * [stable/falco] Fix values to follow naming conventions Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com> * [stable/falco] Changes requested in the PR - Follow naming conventions - Use only one secret instead of two different ones Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com>

view details

Fede Barcelona

commit sha 5ca6f4283c08ad41a28ba761a4f94ee3d49ff9ac

[stable/falco] Fix README.md documentation (#13125) Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com>

view details

Néstor Salceda

commit sha 50148836e01ebe621818f6739ac62f2d8facb212

Remove the toJson pipeline when adding Google Cloud Credentials (#13272) Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

Néstor Salceda

commit sha cb733a291247649533c69144b4e0c78d76dbfa80

Use KUBERNETES_SERVICE_HOST environment variable (#13676) Instead of hardcoding or relying in DNS, use this method. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

view details

push time in 7 days

PR merged falcosecurity/charts

Pull falco chart from helm/charts

This pulls in the falco helm chart from the charts repo under helm. Helm has asked maintainers to take these steps.

Add 'falco/' from commit '5ef70d45258bb36cba453065427e8c6a6284c90f'

Commands run:

(from helm/charts)
git subtree  split --prefix stable/falco/
git co <resulting sha>
git co -b falco_split

(from falcosecurity/charts)
git subtree add --prefix falco ../charts falco_split

git-subtree-dir: falco
git-subtree-mainline: 26466a22e5640cbd559aa7f87882d729191105cc
git-subtree-split: 5ef70d45258bb36cba453065427e8c6a6284c90f
Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
+5121 -0

2 comments

25 changed files

nibalizer

pr closed time in 7 days

pull request commentfalcosecurity/charts

Pull falco chart from helm/charts

This LGTM! Welcome to the Falco project!

We probably owe the helm community a PR to remove this from their end.

nibalizer

comment created time in 7 days

pull request commentfalcosecurity/contrib

wip: add helm chart

Hey - overall this PR looks great - let's get it merged.

Can we PR this change to https://github.com/falcosecurity/charts? I just set that repo up and we can begin hosting the charts there. Especially once the unix socket work goes into play :)

nibalizer

comment created time in 7 days

create barnchfalcosecurity/charts

branch : master

created branch time in 7 days

created repositoryfalcosecurity/charts

Community managed Helm charts for running Falco with Kubernetes

created time in 7 days

PR opened falcosecurity/falco-website

feat(docs): Updating scope

Adding the scope of falco blog and adjusting docs as needed

Signed-off-by: Kris Nova kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+72 -157

0 comment

4 changed files

pr created time in 7 days

create barnchfalcosecurity/falco-website

branch : scope-blog

created branch time in 7 days

created repositoryfalcosecurity/charts

Community managed Falco Helm charts

created time in 7 days

create barnchfalcosecurity/charts

branch : master

created branch time in 7 days

push eventkris-nova/packer-builder-arm-image

Kris Nova

commit sha cd62d91dfe150c0e9f93927a9d4981dc8eb9262b

Adding dependencies for our arch linux user friends PS hi everyone :)

view details

push time in 8 days

pull request commentdraios/sysdig

udig support

Looks like the build was broken - getting a 403 error on the Linux builds. I restarted them to see if it was a flake or not.

This is blocking #1195 so trying to nudge it along :+1:

ldegio

comment created time in 8 days

pull request commentfalcosecurity/falco-website

feat(docs): Install support and new blog

/approve

Can I approve a pr I started but leo finished? i have no idea

kris-nova

comment created time in 8 days

Pull request review commentfalcosecurity/falco-website

feat(docs): Install support and new blog

+---+title: Download+description: Officially supported Falco artifacts+weight: 2+---++## Downloading++The Falco Project community only supports two ways for downloading and running Falco:++ - Running Falco directly on a Linux host+ - Running the Falco userspace program in a container, with a driver installed on the underlying host.+ +Below you can find artifacts for both. +++### Download for Linux++|        | development                                                                                                                 | stable                                                                                                              |+|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|+| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |+| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |+| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |++The list of all available artifacts can be found [here](https://bintray.com/falcosecurity).++---++### Download container images++{{< info >}}++Falco depends on having a driver installed on the host system to get information about the running system calls.++The preferred installation method is to install the driver using the native artifacts defined above or +temporarily run the `falcosecurity/falco-driver-loader` image as privileged, then using the `falcosecurity/falco-no-driver`.++{{< /info >}}++|tag | pull command | description |

Can we call out which containers require privileges to escalate to the host? I hate to nit-pick this but it really is a big deal for a lot of production users. Maybe we just add a column at the end requires-privileged or something?

kris-nova

comment created time in 8 days

Pull request review commentfalcosecurity/falco-website

feat(docs): Install support and new blog

 ----title: Running Falco-weight: 2+title: Running +description: Operating and Managing Falco+weight: 4 --- -Falco is meant to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. -## Running Falco as a service+## Run Falco as a service -Once you've [installed](../installation) Falco as a package, you can start the service:+If you installed Falco by using [the deb or the rpm](../installation) package, you can start the service:  ```bash service falco start

Can we also add a note that says that systemctl will also work even though the Falco service is configured with init.d

systemctl start falco
kris-nova

comment created time in 8 days

Pull request review commentfalcosecurity/falco-website

feat(docs): Install support and new blog

 ----title: Running Falco-weight: 2+title: Running +description: Operating and Managing Falco+weight: 4 --- -Falco is meant to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. -## Running Falco as a service+## Run Falco as a service -Once you've [installed](../installation) Falco as a package, you can start the service:+If you installed Falco by using [the deb or the rpm](../installation) package, you can start the service:  ```bash service falco start ``` -The default configuration logs events to syslog.+You can also view the Falco logs using `journalctl`. -## Reloading configuration--As of Falco >= 0.13.0, on SIGHUP Falco will fully restart its main loop, closing the device for the kernel module and re-reading all config, etc. from scratch. This can be useful if you want to change the set of rules files, config, etc. on the fly without having to restart Falco.--## Running Falco in a container--The current version of Falco is available as the `falcosecurity/falco:{{< latest >}}` container. Here's an example command to run the container locally on Linux:--```bash-docker run \-  --interactive \-  --privileged \-  --tty \-  --name falco \-  --volume /var/run/docker.sock:/host/var/run/docker.sock \-  --volume /dev:/host/dev \-  --volume /proc:/host/proc:ro \-  --volume /boot:/host/boot:ro \-  --volume /lib/modules:/host/lib/modules:ro \-  --volume /usr:/host/usr:ro \-  falcosecurity/falco:{{< latest >}}-```--By default, starting the container will attempt to load and/or build the Falco kernel module. If you already know that the kernel module is loaded and want to skip this step, you can set the environment variable `SYSDIG_SKIP_LOAD` to `1`:--```bash-docker run ... -e SYSDIG_SKIP_LOAD=1 ... falcosecurity/falco:{{< latest >}}-```--## Running Falco in a Kind cluster--The easiest way to run Falco on a [Kind](https://github.com/kubernetes-sigs/kind) cluster is as follows:--1. Create a configuration file. For example: `kind-config.yaml`--2. Add the following to the file:-```yaml-kind: Cluster-apiVersion: kind.x-k8s.io/v1alpha4-nodes:-- role: control-plane-  extraMounts:-  - hostPath: /dev-    containerPath: /dev-```--3. Create the cluster by specifying the configuration file:+```bash +journalctl -fu falco ```-kind create cluster --config=./kind-config.yaml-```--4. [Install](../installation) Falco in your Kubernetes cluster with kind. -## Running Falco manually+## Run Falco manually -If you'd like to run Falco by hand, here's the full usage description for falco:+If you'd like to run Falco by hand, here's the full usage description for Falco:

I generally do not suggest adding things like this to the documentation. This means every time we change something in the code we have to remember to change it here. Also this isn't relevant to all versions of Falco.

I would rather see something like:

The Falco help menu that is specific to your version of Falco can be found by

falco --help
kris-nova

comment created time in 8 days

Pull request review commentawsdocs/amazon-ecs-developer-guide

[WIP] feat(docs): Add Falco and Fargate with ECS documentation

+# Securing Fargate Tasks with Falco Runtime Security++ECS Fargate `1.4.0` [announced support](https://aws.amazon.com/about-aws/whats-new/2020/04/aws-fargate-launches-platform-version-14/) for the `CAP_SYS_PTRACE` linux capability.++This new feature can be implemented with [Falco](falco.org), an open source runtime security project originally built by Sysdig, Inc and later donated to the Cloud Native Computing Foundation.++Falco uses `ptrace(2)` with Fargate in ECS to detect anomalous behavior at runtime. ++Falco can be configured to send alerts to STDOUT such that ECS can consume the logs. They can then be used to trigger alerts and alarms using AWS logging solutions such as CloudWatch. ++## Dependencies++In order to begin securing a task in ECS a few components need to be installed within the container.++ - Falco userspace daemon+ - Falco pdig tracing utility+ +After these components are installed in the container, Falco can be used in the following ways.++ - Launch an arbitrary process, and begin tracing the original process and all of it's child processes. + - Attach to a running process, and begin tracing the process and all of it's child processes. + +In order for the Falco `pdig` utility to work, the `CAP_SYS_PTRACE` capability must be enabled in a task definition for a Fargate 1.4 or greater ECS Cluster. ++Add the following section to the container JSON you wish to secure while creating the task definition. ++```json+            "linuxParameters": {+                "capabilities": {+                    "add": [+                        "SYS_PTRACE"+                    ],+                    "drop": null+                }+            },+```++## Installing Falco++_Note:_ The Falco `pdig` components are targetted to be released in an upcoming Falco release. This documentation will need to be updated after the initial release.++For now you can use the `krisnova/falco-trace:latest` container image which is built on debian and contains Falco and `pdig` pre-installed. +The original work to get this working can be found at [github.com/kris-nova/falco-trace](https://github.com/kris-nova/falcotrace).

These lines (40-44) will ultimately be removed before I remove the WIP flag from the PR.

But until the Falco community is able to cut a release with these updates, this is a place for folks to kick the tires.

kris-nova

comment created time in 8 days

push eventkris-nova/amazon-ecs-developer-guide

Kris Nova

commit sha 2d58996a1ad1fd644778a864a7068000e8bb3899

feat(docs): Adjusting JSON error with Linux Capabilities Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 8 days

PR opened awsdocs/amazon-ecs-developer-guide

[WIP] feat(docs): Add Falco and Fargate with ECS documentation

Note: The Falco community will be updating our artifacts and documentation for these new features. This PR should be considered a WIP (Work in Progress) until then.

Signed-off-by: Kris Nova kris@nivenly.com

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

+118 -0

0 comment

1 changed file

pr created time in 8 days

fork kris-nova/amazon-ecs-developer-guide

The open source version of the Amazon ECS developer guide. You can submit feedback & requests for changes by submitting issues in this repo or by making proposed changes & submitting a pull request.

fork in 8 days

issue openedfalcosecurity/falco

ECS Metadata

Motivation

Falco can run in ECS Fargate now, can we look at improving our integration?

<!-- Is your feature request related to a problem? Please describe what the problem is clearly and concisely. Eg., I'm always frustrated when ... -->

Feature

With the new workaround pdig and running falco in ECS Fargate, can we start exploring consuming ECS and Fargate metadata into Falco in the same way we consume container and Kubernetes metadata?

This is relevant because this can be used as our first input plugin that can be built outside of the core Falco engine and use the new inputs API.

<!-- Describe the solution you would like. A clear and concise description of what you want to happen. -->

Alternatives

<!-- Describe alternatives you have considered, if any. A clear and concise description of any alternative solutions or features you have considered. -->

Additional context

<!-- Add any other context or screenshots about the feature request here. -->

created time in 8 days

issue commentkris-nova/knobs

Celanthe/Rin Checking In

Hi welcome!

Would you be interested in reviewing my prototype once I finish it?

celanthe

comment created time in 8 days

issue commentkris-nova/knobs

Moficodes Reporing for Duty

Welcome! I think we are jumping on #1 and getting CRDs and an empty operator merged into the repo for us to start looking at how to configure this.

moficodes

comment created time in 8 days

issue commentkris-nova/knobs

Goozbach checking in.

We need help documenting our install story on falco.org

If you want to jump on a call we totally can! But the docs are all over the place and need some help standardizing.

goozbach

comment created time in 8 days

issue commentkris-nova/knobs

I want to participate

Maybe you can help with @hasheddan with #1 and get started on building out the CRDs?

Ideally we would have the CRDs defined in the readme with an empty spec and an operator all build out and ready to go for us.

0xtanja

comment created time in 8 days

issue commentkris-nova/knobs

hasheddan reporting for duty

Welcome to the party!

I am going to spend some time getting a prototype and blog set up - and then it should be a party for others to try it out and contribute back.

If you want to start with the CRD work please feel free - we literally have a white canvas to work with.

hasheddan

comment created time in 8 days

startedsolo-io/packer-builder-arm-image

started time in 8 days

more