From 2fb30b38dd059aacb04cd1acf392d26024891edd Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 28 Mar 2026 16:35:22 +0800 Subject: [PATCH 01/15] falco --- falco/falcoserver/templates/deployment.yaml | 85 +++++++++++++++------ 1 file changed, 61 insertions(+), 24 deletions(-) diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index 9fa85fb1a..600861b66 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -1,24 +1,25 @@ {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }} --- apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: labels: - io.kompose.service: falcoserver - name: falcoserver + app: falco-agent + name: falco-agent namespace: {{ .Release.Namespace }} spec: - replicas: 1 selector: matchLabels: - io.kompose.service: falcoserver - strategy: - type: Recreate + app: falco-agent + updateStrategy: + type: RollingUpdate template: metadata: labels: - io.kompose.service: falcoserver + app: falco-agent spec: + tolerations: + - operator: Exists containers: - name: falco image: "docker.io/falcosecurity/falco:0.43.0" @@ -32,7 +33,7 @@ spec: - -o - http_output.enabled=true - -o - - http_output.url=http://localhost:2801/ + - http_output.url=http://falco-sidekick.{{ .Release.Namespace }}:2801/ securityContext: capabilities: drop: @@ -61,6 +62,56 @@ spec: - mountPath: /dev name: dev + volumes: + - name: proc + hostPath: + path: /proc + - name: etc + hostPath: + path: /etc + - name: debugfs + hostPath: + path: /sys/kernel/debug + - name: dev + hostPath: + path: /dev + restartPolicy: Always + +--- +apiVersion: v1 +kind: Service +metadata: + name: falco-sidekick + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 2801 + targetPort: 2801 + selector: + app: falco-central + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: falco-central + name: falco-central + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: falco-central + strategy: + type: Recreate + template: + metadata: + labels: + app: falco-central + spec: + containers: - name: sidekick image: "docker.io/falcosecurity/falcosidekick:2.33.0" imagePullPolicy: IfNotPresent @@ -153,20 +204,7 @@ spec: - ping initialDelaySeconds: 5 periodSeconds: 5 - volumes: - - name: proc - hostPath: - path: /proc - - name: etc - hostPath: - path: /etc - - name: debugfs - hostPath: - path: /sys/kernel/debug - - name: dev - hostPath: - path: /dev - name: redis-data hostPath: type: DirectoryOrCreate @@ -179,7 +217,6 @@ spec: {{- else }} path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/redis' {{- end }} - restartPolicy: Always --- apiVersion: v1 @@ -193,5 +230,5 @@ spec: port: 2802 targetPort: 2802 selector: - io.kompose.service: falcoserver + app: falco-central {{- end }} From ef2479ca5c1ddc1ebf39315c58ec74a6c2ff92be Mon Sep 17 00:00:00 2001 From: simon Date: Mon, 30 Mar 2026 18:10:46 +0800 Subject: [PATCH 02/15] falco --- falco/Chart.yaml | 2 +- falco/OlaresManifest.yaml | 2 +- falco/falco/Chart.yaml | 2 +- falco/falcoserver/Chart.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/falco/Chart.yaml b/falco/Chart.yaml index 388751fa3..904dbcf43 100644 --- a/falco/Chart.yaml +++ b/falco/Chart.yaml @@ -3,4 +3,4 @@ appVersion: '0.43.0' description: Cloud Native Runtime Security tool for Linux operating systems. name: falco type: application -version: '1.0.3' +version: '1.0.4' diff --git a/falco/OlaresManifest.yaml b/falco/OlaresManifest.yaml index 8ad2b234a..ce4767576 100644 --- a/falco/OlaresManifest.yaml +++ b/falco/OlaresManifest.yaml @@ -7,7 +7,7 @@ metadata: description: Cloud Native Runtime Security tool for detecting abnormal behavior. icon: https://app.cdn.olares.com/appstore/falco/icon.png appid: falco - version: '1.0.3' + version: '1.0.4' title: Falco categories: - Developer Tools diff --git a/falco/falco/Chart.yaml b/falco/falco/Chart.yaml index 2da8e515b..0777aa1a4 100644 --- a/falco/falco/Chart.yaml +++ b/falco/falco/Chart.yaml @@ -3,4 +3,4 @@ appVersion: '1.25.3-2' description: description name: falco type: application -version: 1.0.2 +version: 1.0.4 diff --git a/falco/falcoserver/Chart.yaml b/falco/falcoserver/Chart.yaml index 42374c8ac..b354c5c7c 100644 --- a/falco/falcoserver/Chart.yaml +++ b/falco/falcoserver/Chart.yaml @@ -3,4 +3,4 @@ appVersion: '0.43.0' description: description name: falcoserver type: application -version: 1.0.2 +version: 1.0.4 From e113a35e26a106fb16b12a0b299b88ffdaaf24b2 Mon Sep 17 00:00:00 2001 From: simon Date: Mon, 30 Mar 2026 23:24:14 +0800 Subject: [PATCH 03/15] customer rules --- falco/falcoserver/templates/deployment.yaml | 26 +++++++++++++++++++++ falco/falcoserver/values.yaml | 15 +++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index 600861b66..592187dd0 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -1,4 +1,17 @@ {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }} +{{- if .Values.customRules }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: falco-custom-rules + namespace: {{ .Release.Namespace }} +data: +{{- range $fileName, $ruleContent := .Values.customRules }} + {{ $fileName }}: | +{{ $ruleContent | indent 4 }} +{{- end }} +{{- end }} --- apiVersion: apps/v1 kind: DaemonSet @@ -61,6 +74,14 @@ spec: readOnly: true - mountPath: /dev name: dev +{{- if .Values.customRules }} +{{- range $fileName, $_ := .Values.customRules }} + - mountPath: /etc/falco/rules.d/{{ $fileName }} + name: falco-custom-rules + subPath: {{ $fileName }} + readOnly: true +{{- end }} +{{- end }} volumes: - name: proc @@ -75,6 +96,11 @@ spec: - name: dev hostPath: path: /dev +{{- if .Values.customRules }} + - name: falco-custom-rules + configMap: + name: falco-custom-rules +{{- end }} restartPolicy: Always --- diff --git a/falco/falcoserver/values.yaml b/falco/falcoserver/values.yaml index 8b1378917..8fcc50abd 100644 --- a/falco/falcoserver/values.yaml +++ b/falco/falcoserver/values.yaml @@ -1 +1,14 @@ - +# Additional Falco rule files. +# Keys are file names and values are full rule file contents. +# They will be mounted to /etc/falco/rules.d/. +# Falco default rules remain enabled; custom rules are loaded in addition. +# Built-in test rule enabled by default. +customRules: + custom_rules.yaml: | + - rule: Test - Terminal Shell In Container + desc: Test rule to validate Falco custom rules pipeline + condition: container and shell_procs and proc.name in (bash, sh, zsh) + output: > + TEST custom rule matched (user=%user.name command=%proc.cmdline container=%container.id image=%container.image.repository) + priority: WARNING + tags: [container, test] From bdee9cd03ac0ce540bf3410369403aa87b646e7c Mon Sep 17 00:00:00 2001 From: simon Date: Tue, 31 Mar 2026 00:23:48 +0800 Subject: [PATCH 04/15] limit --- falco/falcoserver/templates/deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index 592187dd0..c7b688ee4 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -152,7 +152,7 @@ spec: memory: 64Mi limits: cpu: 500m - memory: 256Mi + memory: 500Mi readinessProbe: httpGet: path: /ping @@ -181,7 +181,7 @@ spec: memory: 64Mi limits: cpu: 500m - memory: 256Mi + memory: 400Mi readinessProbe: httpGet: path: / @@ -212,7 +212,7 @@ spec: memory: 64Mi limits: cpu: 500m - memory: 512Mi + memory: 1G volumeMounts: - mountPath: /data name: redis-data From 3e6888883aef330ea5c315dea5c48d69e30d765f Mon Sep 17 00:00:00 2001 From: simon Date: Tue, 31 Mar 2026 10:15:12 +0800 Subject: [PATCH 05/15] customer rule --- falco/falcoserver/values.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/falco/falcoserver/values.yaml b/falco/falcoserver/values.yaml index 8fcc50abd..e5ef24fb3 100644 --- a/falco/falcoserver/values.yaml +++ b/falco/falcoserver/values.yaml @@ -2,13 +2,12 @@ # Keys are file names and values are full rule file contents. # They will be mounted to /etc/falco/rules.d/. # Falco default rules remain enabled; custom rules are loaded in addition. -# Built-in test rule enabled by default. -customRules: - custom_rules.yaml: | - - rule: Test - Terminal Shell In Container - desc: Test rule to validate Falco custom rules pipeline - condition: container and shell_procs and proc.name in (bash, sh, zsh) - output: > - TEST custom rule matched (user=%user.name command=%proc.cmdline container=%container.id image=%container.image.repository) - priority: WARNING - tags: [container, test] +# Keep empty to disable custom rules. +#- rule: Test - Terminal Shell In Container +# desc: Test rule to validate Falco custom rules pipeline +# condition: container and shell_procs and proc.name in (bash, sh, zsh) +# output: > +# TEST custom rule matched (user=%user.name command=%proc.cmdline container=%container.id image=%container.image.repository) +# priority: WARNING +# tags: [container, test] +customRules: {} From 08e0bab55a019bb0ba58d0de9f9e4fef9d2384a9 Mon Sep 17 00:00:00 2001 From: simon Date: Tue, 31 Mar 2026 10:27:35 +0800 Subject: [PATCH 06/15] custome rule --- falco/falcoserver/values.yaml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/falco/falcoserver/values.yaml b/falco/falcoserver/values.yaml index e5ef24fb3..8fcc50abd 100644 --- a/falco/falcoserver/values.yaml +++ b/falco/falcoserver/values.yaml @@ -2,12 +2,13 @@ # Keys are file names and values are full rule file contents. # They will be mounted to /etc/falco/rules.d/. # Falco default rules remain enabled; custom rules are loaded in addition. -# Keep empty to disable custom rules. -#- rule: Test - Terminal Shell In Container -# desc: Test rule to validate Falco custom rules pipeline -# condition: container and shell_procs and proc.name in (bash, sh, zsh) -# output: > -# TEST custom rule matched (user=%user.name command=%proc.cmdline container=%container.id image=%container.image.repository) -# priority: WARNING -# tags: [container, test] -customRules: {} +# Built-in test rule enabled by default. +customRules: + custom_rules.yaml: | + - rule: Test - Terminal Shell In Container + desc: Test rule to validate Falco custom rules pipeline + condition: container and shell_procs and proc.name in (bash, sh, zsh) + output: > + TEST custom rule matched (user=%user.name command=%proc.cmdline container=%container.id image=%container.image.repository) + priority: WARNING + tags: [container, test] From ce8d7b0fdbc4d0d1e5ddaa1aa4e4648c41acec2f Mon Sep 17 00:00:00 2001 From: simon Date: Tue, 31 Mar 2026 10:43:19 +0800 Subject: [PATCH 07/15] limit --- falco/falcoserver/templates/deployment.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index c7b688ee4..27f48a55b 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -173,6 +173,9 @@ spec: - '-r' - 'localhost:6379' - '-d' + env: + - name: FALCOSIDEKICK_UI_TTL + value: "72h" ports: - containerPort: 2802 resources: @@ -181,7 +184,7 @@ spec: memory: 64Mi limits: cpu: 500m - memory: 400Mi + memory: 500Mi readinessProbe: httpGet: path: / @@ -212,7 +215,7 @@ spec: memory: 64Mi limits: cpu: 500m - memory: 1G + memory: 1.2G volumeMounts: - mountPath: /data name: redis-data From 5256bd41ca793771ece07adf522fdc6131eaf3ec Mon Sep 17 00:00:00 2001 From: simon Date: Tue, 31 Mar 2026 12:26:37 +0800 Subject: [PATCH 08/15] falco --- falco/falcoserver/templates/deployment.yaml | 25 +++++++++++++++++++++ falco/falcoserver/values.yaml | 24 ++++++++++++++------ 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index 27f48a55b..8f32aa8a5 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -12,6 +12,20 @@ data: {{ $ruleContent | indent 4 }} {{- end }} {{- end }} +{{- if .Values.disabledRules }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: falco-disable-rules + namespace: {{ .Release.Namespace }} +data: + falco_disable_rules.yaml: | +{{- range $ruleName := .Values.disabledRules }} + - rule: {{ $ruleName | quote }} + enabled: false +{{- end }} +{{- end }} --- apiVersion: apps/v1 kind: DaemonSet @@ -81,6 +95,12 @@ spec: subPath: {{ $fileName }} readOnly: true {{- end }} +{{- end }} +{{- if .Values.disabledRules }} + - mountPath: /etc/falco/rules.d/falco_disable_rules.yaml + name: falco-disable-rules + subPath: falco_disable_rules.yaml + readOnly: true {{- end }} volumes: @@ -100,6 +120,11 @@ spec: - name: falco-custom-rules configMap: name: falco-custom-rules +{{- end }} +{{- if .Values.disabledRules }} + - name: falco-disable-rules + configMap: + name: falco-disable-rules {{- end }} restartPolicy: Always diff --git a/falco/falcoserver/values.yaml b/falco/falcoserver/values.yaml index 8fcc50abd..faa56b1c3 100644 --- a/falco/falcoserver/values.yaml +++ b/falco/falcoserver/values.yaml @@ -3,12 +3,22 @@ # They will be mounted to /etc/falco/rules.d/. # Falco default rules remain enabled; custom rules are loaded in addition. # Built-in test rule enabled by default. +# demo +#- rule: Test - Terminal Shell In Container +# desc: Test rule to validate Falco custom rules pipeline +# condition: container and shell_procs and proc.name in (bash, sh, zsh) +# output: > +# TEST custom rule matched (user=%user.name command=%proc.cmdline container=%container.id image=%container.image.repository) +# priority: WARNING +# tags: [container, test] customRules: custom_rules.yaml: | - - rule: Test - Terminal Shell In Container - desc: Test rule to validate Falco custom rules pipeline - condition: container and shell_procs and proc.name in (bash, sh, zsh) - output: > - TEST custom rule matched (user=%user.name command=%proc.cmdline container=%container.id image=%container.image.repository) - priority: WARNING - tags: [container, test] + + +# Disable built-in Falco rules by name. +# Example: +# disabledRules: +# - Terminal shell in container +# - Write below etc +disabledRules: + - Terminal shell in container From eb65d2dc900246ffeba353a36a9de860140446c4 Mon Sep 17 00:00:00 2001 From: simon Date: Thu, 2 Apr 2026 10:25:29 +0800 Subject: [PATCH 09/15] falco --- falco/Chart.yaml | 2 +- falco/OlaresManifest.yaml | 2 +- falco/falcoserver/templates/deployment.yaml | 52 +++++++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) diff --git a/falco/Chart.yaml b/falco/Chart.yaml index 904dbcf43..6457eb7ef 100644 --- a/falco/Chart.yaml +++ b/falco/Chart.yaml @@ -3,4 +3,4 @@ appVersion: '0.43.0' description: Cloud Native Runtime Security tool for Linux operating systems. name: falco type: application -version: '1.0.4' +version: '1.0.5' diff --git a/falco/OlaresManifest.yaml b/falco/OlaresManifest.yaml index ce4767576..098a2b57d 100644 --- a/falco/OlaresManifest.yaml +++ b/falco/OlaresManifest.yaml @@ -7,7 +7,7 @@ metadata: description: Cloud Native Runtime Security tool for detecting abnormal behavior. icon: https://app.cdn.olares.com/appstore/falco/icon.png appid: falco - version: '1.0.4' + version: '1.0.5' title: Falco categories: - Developer Tools diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index 8f32aa8a5..eda4c283e 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -27,6 +27,20 @@ data: {{- end }} {{- end }} --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: falco-plugin-runtime-config + namespace: {{ .Release.Namespace }} +data: + plugins.yaml: | + plugins: + - name: k8saudit + library_path: libk8saudit.so + init_config: "" + open_params: "http://0.0.0.0:8765/k8s-audit" + load_plugins: [k8saudit] +--- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -47,6 +61,21 @@ spec: spec: tolerations: - operator: Exists + initContainers: + - name: falcoctl-install-plugins + image: "docker.io/falcosecurity/falcoctl:main" + imagePullPolicy: IfNotPresent + command: + - falcoctl + args: + - artifact + - install + - k8saudit + securityContext: + runAsUser: 0 + volumeMounts: + - name: falco-plugins + mountPath: /usr/share/falco/plugins containers: - name: falco image: "docker.io/falcosecurity/falco:0.43.0" @@ -61,6 +90,8 @@ spec: - http_output.enabled=true - -o - http_output.url=http://falco-sidekick.{{ .Release.Namespace }}:2801/ + - -c + - /etc/falco/config.d/plugins.yaml securityContext: capabilities: drop: @@ -88,6 +119,12 @@ spec: readOnly: true - mountPath: /dev name: dev + - mountPath: /usr/share/falco/plugins + name: falco-plugins + - mountPath: /etc/falco/config.d/plugins.yaml + name: falco-plugin-runtime-config + subPath: plugins.yaml + readOnly: true {{- if .Values.customRules }} {{- range $fileName, $_ := .Values.customRules }} - mountPath: /etc/falco/rules.d/{{ $fileName }} @@ -116,6 +153,21 @@ spec: - name: dev hostPath: path: /dev + - name: falco-plugins + hostPath: + type: DirectoryOrCreate + {{- if .Values.sysVersion }} + {{- if semverCompare ">=1.12.3-0" (toString .Values.sysVersion) }} + path: '{{ .Values.userspace.appData }}/plugins' + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins' + {{- end }} + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins' + {{- end }} + - name: falco-plugin-runtime-config + configMap: + name: falco-plugin-runtime-config {{- if .Values.customRules }} - name: falco-custom-rules configMap: From cfb61e54abd238a40b23458039255f9ad176b505 Mon Sep 17 00:00:00 2001 From: simon Date: Fri, 3 Apr 2026 00:24:44 +0800 Subject: [PATCH 10/15] falco --- falco/falcoserver/templates/deployment.yaml | 85 +++++++++++++-------- 1 file changed, 52 insertions(+), 33 deletions(-) diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index eda4c283e..7f8b64e79 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -27,20 +27,6 @@ data: {{- end }} {{- end }} --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: falco-plugin-runtime-config - namespace: {{ .Release.Namespace }} -data: - plugins.yaml: | - plugins: - - name: k8saudit - library_path: libk8saudit.so - init_config: "" - open_params: "http://0.0.0.0:8765/k8s-audit" - load_plugins: [k8saudit] ---- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -62,26 +48,54 @@ spec: tolerations: - operator: Exists initContainers: - - name: falcoctl-install-plugins - image: "docker.io/falcosecurity/falcoctl:main" + - name: init-chmod-falco-plugins + image: "docker.io/beclab/aboveos-busybox:1.37.0" imagePullPolicy: IfNotPresent command: - - falcoctl - args: - - artifact - - install - - k8saudit - securityContext: - runAsUser: 0 + - sh + - '-c' + - | + chown -R 1000:1000 /falco-plugins + chmod -R 0777 /falco-plugins + if [ ! -f /falco-plugin-config/plugins.local.yaml ]; then + printf '%s\n' \ + '# Falco plugin configuration example.' \ + '# This file is created only once by init container.' \ + '# Edit this file manually to enable plugins you installed' \ + '# under /usr/share/falco/plugins.' \ + '#' \ + '# Example: enable k8saudit plugin' \ + '# plugins:' \ + '# - name: k8saudit' \ + '# library_path: libk8saudit.so' \ + '# init_config: ""' \ + '# open_params: "http://:9765/k8s-audit"' \ + '#' \ + '# load_plugins: [k8saudit]' \ + > /falco-plugin-config/plugins.local.yaml + fi + chown 1000:1000 /falco-plugin-config/plugins.local.yaml + chmod 0664 /falco-plugin-config/plugins.local.yaml + resources: {} volumeMounts: - name: falco-plugins - mountPath: /usr/share/falco/plugins + mountPath: /falco-plugins + - name: falco-plugin-config-file + mountPath: /falco-plugin-config/plugins.local.yaml + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + securityContext: + runAsUser: 0 containers: - name: falco image: "docker.io/falcosecurity/falco:0.43.0" imagePullPolicy: IfNotPresent args: - /usr/bin/falco + - -r + - /etc/falco/falco_rules.yaml + - -r + - /etc/falco/rules.d - -o - json_output=true - -o @@ -90,8 +104,6 @@ spec: - http_output.enabled=true - -o - http_output.url=http://falco-sidekick.{{ .Release.Namespace }}:2801/ - - -c - - /etc/falco/config.d/plugins.yaml securityContext: capabilities: drop: @@ -121,10 +133,8 @@ spec: name: dev - mountPath: /usr/share/falco/plugins name: falco-plugins - - mountPath: /etc/falco/config.d/plugins.yaml - name: falco-plugin-runtime-config - subPath: plugins.yaml - readOnly: true + - mountPath: /etc/falco/config.d/plugins.local.yaml + name: falco-plugin-config-file {{- if .Values.customRules }} {{- range $fileName, $_ := .Values.customRules }} - mountPath: /etc/falco/rules.d/{{ $fileName }} @@ -165,9 +175,18 @@ spec: {{- else }} path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins' {{- end }} - - name: falco-plugin-runtime-config - configMap: - name: falco-plugin-runtime-config + - name: falco-plugin-config-file + hostPath: + type: FileOrCreate + {{- if .Values.sysVersion }} + {{- if semverCompare ">=1.12.3-0" (toString .Values.sysVersion) }} + path: '{{ .Values.userspace.appData }}/plugins.local.yaml' + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins.local.yaml' + {{- end }} + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins.local.yaml' + {{- end }} {{- if .Values.customRules }} - name: falco-custom-rules configMap: From 158c30cde9f6a485d7f1fa0e3b0307f7e9a6efad Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 4 Apr 2026 14:31:24 +0800 Subject: [PATCH 11/15] falco --- falco/falcoserver/templates/deployment.yaml | 21 +++++ .../templates/plugin_installer_job.yaml | 93 +++++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100644 falco/falcoserver/templates/plugin_installer_job.yaml diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index 7f8b64e79..fc7a7e794 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -57,6 +57,9 @@ spec: - | chown -R 1000:1000 /falco-plugins chmod -R 0777 /falco-plugins + mkdir -p /falco-rules + chown -R 1000:1000 /falco-rules + chmod -R 0777 /falco-rules if [ ! -f /falco-plugin-config/plugins.local.yaml ]; then printf '%s\n' \ '# Falco plugin configuration example.' \ @@ -80,6 +83,8 @@ spec: volumeMounts: - name: falco-plugins mountPath: /falco-plugins + - name: falco-rules + mountPath: /falco-rules - name: falco-plugin-config-file mountPath: /falco-plugin-config/plugins.local.yaml terminationMessagePath: /dev/termination-log @@ -96,6 +101,8 @@ spec: - /etc/falco/falco_rules.yaml - -r - /etc/falco/rules.d + - -r + - /etc/falco/rules.d/managed - -o - json_output=true - -o @@ -135,6 +142,8 @@ spec: name: falco-plugins - mountPath: /etc/falco/config.d/plugins.local.yaml name: falco-plugin-config-file + - mountPath: /etc/falco/rules.d/managed + name: falco-rules {{- if .Values.customRules }} {{- range $fileName, $_ := .Values.customRules }} - mountPath: /etc/falco/rules.d/{{ $fileName }} @@ -187,6 +196,18 @@ spec: {{- else }} path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins.local.yaml' {{- end }} + - name: falco-rules + hostPath: + type: DirectoryOrCreate + {{- if .Values.sysVersion }} + {{- if semverCompare ">=1.12.3-0" (toString .Values.sysVersion) }} + path: '{{ .Values.userspace.appData }}/rules' + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/rules' + {{- end }} + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/rules' + {{- end }} {{- if .Values.customRules }} - name: falco-custom-rules configMap: diff --git a/falco/falcoserver/templates/plugin_installer_job.yaml b/falco/falcoserver/templates/plugin_installer_job.yaml new file mode 100644 index 000000000..14f2ead9c --- /dev/null +++ b/falco/falcoserver/templates/plugin_installer_job.yaml @@ -0,0 +1,93 @@ +{{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: falco-plugin-installer + namespace: {{ .Release.Namespace }} + labels: + app: falco-plugin-installer +spec: + selector: + matchLabels: + app: falco-plugin-installer + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: falco-plugin-installer + spec: + tolerations: + - operator: Exists + initContainers: + - name: init-chmod-falco-plugins + image: "docker.io/beclab/aboveos-busybox:1.37.0" + imagePullPolicy: IfNotPresent + command: + - sh + - '-c' + - | + chown -R 1000:1000 /falco-plugins + chmod -R 0777 /falco-plugins + mkdir -p /falco-rules + chown -R 1000:1000 /falco-rules + chmod -R 0777 /falco-rules + resources: {} + volumeMounts: + - name: falco-plugins + mountPath: /falco-plugins + - name: falco-rules + mountPath: /falco-rules + securityContext: + runAsUser: 0 + containers: + # Prebuilt toolbox image ships falcoctl + ca-certificates. + - name: toolbox + image: "docker.io/beclab/falco-toolbox:v0.0.1" + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - '-c' + - sleep infinity + stdin: true + tty: true + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi + volumeMounts: + - name: falco-plugins + mountPath: /usr/share/falco/plugins + - name: falco-rules + mountPath: /etc/falco + restartPolicy: Always + volumes: + - name: falco-plugins + hostPath: + type: DirectoryOrCreate + {{- if .Values.sysVersion }} + {{- if semverCompare ">=1.12.3-0" (toString .Values.sysVersion) }} + path: '{{ .Values.userspace.appData }}/plugins' + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins' + {{- end }} + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/plugins' + {{- end }} + - name: falco-rules + hostPath: + type: DirectoryOrCreate + {{- if .Values.sysVersion }} + {{- if semverCompare ">=1.12.3-0" (toString .Values.sysVersion) }} + path: '{{ .Values.userspace.appData }}/rules' + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/rules' + {{- end }} + {{- else }} + path: '{{ .Values.userspace.appData }}/{{ .Release.Name }}/rules' + {{- end }} +{{- end }} From bff6a2020a33369bb4d030d86d9c73709523592a Mon Sep 17 00:00:00 2001 From: simon Date: Sun, 5 Apr 2026 16:12:42 +0800 Subject: [PATCH 12/15] falco --- falco/Chart.yaml | 2 +- falco/OlaresManifest.yaml | 2 +- falco/falcoserver/templates/deployment.yaml | 2 +- falco/falcoserver/templates/plugin_installer_job.yaml | 7 ++++--- llmfit/values.yaml | 1 + 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/falco/Chart.yaml b/falco/Chart.yaml index 6457eb7ef..3802e5eb3 100644 --- a/falco/Chart.yaml +++ b/falco/Chart.yaml @@ -3,4 +3,4 @@ appVersion: '0.43.0' description: Cloud Native Runtime Security tool for Linux operating systems. name: falco type: application -version: '1.0.5' +version: '1.0.7' diff --git a/falco/OlaresManifest.yaml b/falco/OlaresManifest.yaml index 098a2b57d..2a9c84ed6 100644 --- a/falco/OlaresManifest.yaml +++ b/falco/OlaresManifest.yaml @@ -7,7 +7,7 @@ metadata: description: Cloud Native Runtime Security tool for detecting abnormal behavior. icon: https://app.cdn.olares.com/appstore/falco/icon.png appid: falco - version: '1.0.5' + version: '1.0.7' title: Falco categories: - Developer Tools diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index fc7a7e794..c994de1fc 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -78,7 +78,7 @@ spec: > /falco-plugin-config/plugins.local.yaml fi chown 1000:1000 /falco-plugin-config/plugins.local.yaml - chmod 0664 /falco-plugin-config/plugins.local.yaml + chmod 0666 /falco-plugin-config/plugins.local.yaml resources: {} volumeMounts: - name: falco-plugins diff --git a/falco/falcoserver/templates/plugin_installer_job.yaml b/falco/falcoserver/templates/plugin_installer_job.yaml index 14f2ead9c..b92d3a8f0 100644 --- a/falco/falcoserver/templates/plugin_installer_job.yaml +++ b/falco/falcoserver/templates/plugin_installer_job.yaml @@ -1,18 +1,19 @@ {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }} --- apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: name: falco-plugin-installer namespace: {{ .Release.Namespace }} labels: app: falco-plugin-installer spec: + replicas: 1 selector: matchLabels: app: falco-plugin-installer - updateStrategy: - type: RollingUpdate + strategy: + type: Recreate template: metadata: labels: diff --git a/llmfit/values.yaml b/llmfit/values.yaml index e69de29bb..8b1378917 100644 --- a/llmfit/values.yaml +++ b/llmfit/values.yaml @@ -0,0 +1 @@ + From ac2cddf8d883bf2e9722c982edfdc640096bee15 Mon Sep 17 00:00:00 2001 From: simon Date: Sun, 5 Apr 2026 22:22:59 +0800 Subject: [PATCH 13/15] falco --- falco/falcoserver/templates/deployment.yaml | 5 ++--- falco/falcoserver/templates/plugin_installer_job.yaml | 9 +++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index c994de1fc..4bd92f785 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -65,12 +65,11 @@ spec: '# Falco plugin configuration example.' \ '# This file is created only once by init container.' \ '# Edit this file manually to enable plugins you installed' \ - '# under /usr/share/falco/plugins.' \ '#' \ '# Example: enable k8saudit plugin' \ '# plugins:' \ '# - name: k8saudit' \ - '# library_path: libk8saudit.so' \ + '# library_path: /var/lib/falco/plugins/libk8saudit.so' \ '# init_config: ""' \ '# open_params: "http://:9765/k8s-audit"' \ '#' \ @@ -138,7 +137,7 @@ spec: readOnly: true - mountPath: /dev name: dev - - mountPath: /usr/share/falco/plugins + - mountPath: /var/lib/falco/plugins name: falco-plugins - mountPath: /etc/falco/config.d/plugins.local.yaml name: falco-plugin-config-file diff --git a/falco/falcoserver/templates/plugin_installer_job.yaml b/falco/falcoserver/templates/plugin_installer_job.yaml index b92d3a8f0..bd06b68bb 100644 --- a/falco/falcoserver/templates/plugin_installer_job.yaml +++ b/falco/falcoserver/templates/plugin_installer_job.yaml @@ -1,19 +1,18 @@ {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }} --- apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: name: falco-plugin-installer namespace: {{ .Release.Namespace }} labels: app: falco-plugin-installer spec: - replicas: 1 selector: matchLabels: app: falco-plugin-installer - strategy: - type: Recreate + updateStrategy: + type: RollingUpdate template: metadata: labels: @@ -63,6 +62,8 @@ spec: volumeMounts: - name: falco-plugins mountPath: /usr/share/falco/plugins + - name: falco-plugins + mountPath: /var/lib/falco/plugins - name: falco-rules mountPath: /etc/falco restartPolicy: Always From e222022a8fff13c1e67bb6d1d06f9b901e5de579 Mon Sep 17 00:00:00 2001 From: simon Date: Mon, 6 Apr 2026 11:30:49 +0800 Subject: [PATCH 14/15] limit --- falco/OlaresManifest.yaml | 4 ++-- falco/falcoserver/templates/deployment.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/falco/OlaresManifest.yaml b/falco/OlaresManifest.yaml index 2a9c84ed6..eb2671620 100644 --- a/falco/OlaresManifest.yaml +++ b/falco/OlaresManifest.yaml @@ -75,11 +75,11 @@ spec: url: https://github.com/falcosecurity/falco/blob/master/LICENSE {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }} requiredMemory: 512Mi - limitedMemory: 4Gi + limitedMemory: 3Gi requiredDisk: 256Mi limitedDisk: 2Gi requiredCpu: 0.5 - limitedCpu: 4 + limitedCpu: 2 onlyAdmin: true {{- else }} requiredMemory: 64Mi diff --git a/falco/falcoserver/templates/deployment.yaml b/falco/falcoserver/templates/deployment.yaml index 4bd92f785..9216bf87b 100644 --- a/falco/falcoserver/templates/deployment.yaml +++ b/falco/falcoserver/templates/deployment.yaml @@ -331,7 +331,7 @@ spec: memory: 64Mi limits: cpu: 500m - memory: 1.2G + memory: 1.5G volumeMounts: - mountPath: /data name: redis-data From eaba5053b8afd91debb029e0885bf37c28f3ecaf Mon Sep 17 00:00:00 2001 From: simon Date: Thu, 9 Apr 2026 21:40:09 +0800 Subject: [PATCH 15/15] values --- llmfit/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/llmfit/values.yaml b/llmfit/values.yaml index 8b1378917..e69de29bb 100644 --- a/llmfit/values.yaml +++ b/llmfit/values.yaml @@ -1 +0,0 @@ -