falco-on-openshift.md

I started like this!

apiVersion: v2
name: falco
description: A Helm chart of falco for Kubernetes
dependencies:
  - name: falco
    version: 3.1.0
    repository: https://falcosecurity.github.io/charts
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.0.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "3.1.0"

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: false
      url: http://falcosidekick.stakater-falco:2801/ #TODO: fix this!

  scc:
    create: false

  falcosidekick:

    enabled: true

    webui:
      enabled: true

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!

falco:

  driver:
    kind: ebpf

Looks much better now

* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.34.1, driver version=4.0.0+driver, arch=x86_64, kernel release=4.18.0-372.36.1.el8_6.x86_64, kernel version=1
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
mount: /sys/kernel/debug: permission denied.
* Filename 'falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o' is composed of:
 - driver name: falco
 - target identifier: rhcos
 - kernel release: 4.18.0-372.36.1.el8_6.x86_64
 - kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o
curl: (22) The requested URL returned error: 404 
* Trying to compile the eBPF probe (falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o)
Unable to find a prebuilt falco eBPF probe
* eBPF probe located in /root/.falco/4.0.0+driver/x86_64/falco_rhcos_4.18.0-372.36.1.el8_6.x86_64_1.o
* Success: eBPF probe symlinked to /root/.falco/falco-bpf.o

Now the init container is healthy!

falcoctl-artifact-install logs

INFO: Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
WARN: No configured index. Consider to configure one using the 'index add' command.
INFO: Installing the following artifacts: [ghcr.io/falcosecurity/rules/falco-rules:0]
INFO: Preparing to pull "ghcr.io/falcosecurity/rules/falco-rules:0"
INFO: Retrieving credentials from local store
INFO: proceeding with empty credentials for registry "ghcr.io"
INFO: Pulling ad24f8acf278
INFO: Pulling 0d3705a4650f
INFO: Pulling 0957c1ef3fe4

                                                                                
INFO: Extracting and installing "rulesfile" "falco_rules.yaml.tar.gz"

                                                                                
INFO: Artifact successfully installed in "/rulesfiles"

falcoctl-artifact-follow logs

INFO: Retrieving versions from Falco (timeout 2m0s) ...
INFO: Successfully retrieved versions from Falco ...
INFO: Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
WARN: No configured index. Consider to configure one using the 'index add' command.
INFO: Creating follower for "falco-rules:0", with check every 6h0m0s
INFO: Retrieving credentials from local store
INFO: proceeding with empty credentials for registry "ghcr.io"
�[39m�[39m INFO �[0m�[0m �[39m�[39mStarting follower for "ghcr.io/falcosecurity/rules/falco-rules:0"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mfetching descriptor from remote repository...�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mdescriptor correctly fetched�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mfound new version under tag "0"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mpulling artifact from remote repository...�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mcheck if pulling an allowed type of artifact�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mpulling artifact "ghcr.io/falcosecurity/rules/falco-rules:0"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mextracting artifact�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mcleaning up leftovers files�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39martifact correctly pulled�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39minstalling file "falco_rules.yaml"...�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mchecking if file "falco_rules.yaml" already exists in "/rulesfiles"�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mfile "falco_rules.yaml" already exists in "/rulesfiles", checking if it is equal to the existing one�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39mthe two file are equal, nothing to be done�[0m�[0m
�[39m�[39m INFO �[0m�[0m �[90m�[90m (ghcr.io/falcosecurity/rules/falco-rules:0) �[0m�[0m�[39m�[39martifact with tag "0" correctly installed�[0m�[0m

Final settings

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  driver:
    kind: ebpf

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: false
      url: http://falcosidekick.stakater-falco:2801/ #TODO: fix this!

  scc:
    create: false

  falcosidekick:

    enabled: true

    webui:
      enabled: true

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!

Had to create a SCC like this; to get sidekick and sidekick-ui pods running

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: |
      This provides the minimum requirements Falco to run in Openshift.
  name: {{ include "falco.serviceAccountName" . }}
  namespace: {{ include "falco.namespace" . }}
  labels:
    {{- include "falco.labels" . | nindent 4 }}
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: true
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
allowedUnsafeSysctls: []
defaultAddCapabilities: []
fsGroup:
  type: RunAsAny
groups: []
priority: 0
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:{{ include "falco.namespace" . }}:{{ include "falco.serviceAccountName" . }}
- system:serviceaccount:{{ include "falco.namespace" . }}:sysdig-falco-falcosidekick
- system:serviceaccount:{{ include "falco.namespace" . }}:sysdig-falco-falcosidekick-ui
volumes:
- hostPath
- emptyDir
- secret
- configMap

There is a way to override podSecurityContext so, I ended up with this values file

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  driver:
    kind: ebpf

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: false
      url: http://falcosidekick.stakater-falco:2801/ #TODO: fix this!

  scc:
    create: false

  falcosidekick:

    enabled: true

    podSecurityContext: ""

    webui:
      enabled: true

      podSecurityContext: ""

      ingress:
        enabled: false

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!

And final scc looks like this

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: |
      This provides the minimum requirements Falco to run in Openshift.
  name: {{ include "falco.serviceAccountName" . }}
  namespace: {{ include "falco.namespace" . }}
  labels:
    {{- include "falco.labels" . | nindent 4 }}
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: true
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
allowedUnsafeSysctls: []
defaultAddCapabilities: []
fsGroup:
  type: RunAsAny
groups: []
priority: 0
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:{{ include "falco.namespace" . }}:{{ include "falco.serviceAccountName" . }}
volumes:
- hostPath
- emptyDir
- secret
- configMap

Events in falcosidekick ui

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  # -- Annotations to add to the service account.
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

falco:

  driver:
    kind: ebpf

  docker:
    enabled: false

  falco:
    json_output: true
    json_include_output_property: true
    log_syslog: false
    log_level: info
    http_output:
      enabled: true
      # This is hardcoded
      url: http://sysdig-falco-falcosidekick.stakater-falco.svc.cluster.local:2801/

  scc:
    create: false

  falcosidekick:

    enabled: true

    podSecurityContext: ""

    webui:
      enabled: true

      podSecurityContext: ""

    config:
      alertmanager:
        hostport: http://alertmanager-main.openshift-monitoring.svc:9094 # TODO! Its hard coded
        minimumpriority: debug
        mutualtls: ""
        checkcert: false  # Will have to check if the cert issue is still there; for now use this!

Environment OpenShift 4.12.0 and falco-driver-loader is failing with this error and falco fails to start :(

* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.34.1, driver version=4.0.0+driver, arch=x86_64, kernel release=4.18.0-372.40.1.el8_6.x86_64, kernel version=1
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
mount: /sys/kernel/debug: permission denied.
* Filename 'falco_rhcos_4.18.0-372.40.1.el8_6.x86_64_1.o' is composed of:
 - driver name: falco
 - target identifier: rhcos
 - kernel release: 4.18.0-372.40.1.el8_6.x86_64
 - kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/4.0.0%2Bdriver/x86_64/falco_rhcos_4.18.0-372.40.1.el8_6.x86_64_1.o
curl: (22) The requested URL returned error: 404 
Unable to find a prebuilt falco eBPF probe
* Trying to compile the eBPF probe (falco_rhcos_4.18.0-372.40.1.el8_6.x86_64_1.o)
expr: syntax error: unexpected argument '1'
make[1]: *** /lib/modules/4.18.0-372.40.1.el8_6.x86_64/build: No such file or directory.  Stop.
make: *** [Makefile:38: all] Error 2
mv: cannot stat '/usr/src/falco-4.0.0+driver/bpf/probe.o': No such file or directory
Unable to load the falco eBPF probe

These are the init containers

  initContainers:
    - name: falco-driver-loader
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      env:
        - name: FALCO_BPF_PROBE
      resources: {}
      volumeMounts:
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          readOnly: true
          mountPath: /host/proc
        - name: boot-fs
          readOnly: true
          mountPath: /host/boot
        - name: lib-modules
          mountPath: /host/lib/modules
        - name: usr-fs
          readOnly: true
          mountPath: /host/usr
        - name: etc-fs
          readOnly: true
          mountPath: /host/etc
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
    - name: falcoctl-artifact-install
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - install
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent

The above failing pod has this YAML

kind: Pod
apiVersion: v1
metadata:
  generateName: falco-
  annotations:
    checksum/certs: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    checksum/config: 09cbdf4875bbd87fe93e70a034a53662acc7a4dbe7a9bf3eb8c352be2aee015c
    checksum/rules: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    k8s.ovn.org/pod-networks: >-
      {"default":{"ip_addresses":["10.128.1.66/23"],"mac_address":"0a:58:0a:80:01:42","gateway_ips":["10.128.0.1"],"ip_address":"10.128.1.66/23","gateway_ip":"10.128.0.1"}}
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "ovn-kubernetes",
          "interface": "eth0",
          "ips": [
              "10.128.1.66"
          ],
          "mac": "0a:58:0a:80:01:42",
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "ovn-kubernetes",
          "interface": "eth0",
          "ips": [
              "10.128.1.66"
          ],
          "mac": "0a:58:0a:80:01:42",
          "default": true,
          "dns": {}
      }]
    openshift.io/scc: falco
  resourceVersion: '10060058'
  name: falco-gj6sm
  uid: b7a071e5-c92a-47cf-9778-b240ef300f23
  creationTimestamp: '2023-03-12T17:37:00Z'
  managedFields:
    - manager: 00-0c-29-0e-55-ce
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:37:00Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:k8s.ovn.org/pod-networks': {}
    - manager: kube-controller-manager
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:37:00Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            .: {}
            'f:checksum/certs': {}
            'f:checksum/config': {}
            'f:checksum/rules': {}
          'f:generateName': {}
          'f:labels':
            .: {}
            'f:app.kubernetes.io/instance': {}
            'f:app.kubernetes.io/name': {}
            'f:controller-revision-hash': {}
            'f:pod-template-generation': {}
          'f:ownerReferences':
            .: {}
            'k:{"uid":"d8b701af-ef38-4a86-a4be-4f2994e2bd2f"}': {}
        'f:spec':
          'f:volumes':
            'k:{"name":"plugins-install-dir"}':
              .: {}
              'f:emptyDir': {}
              'f:name': {}
            'k:{"name":"usr-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"etc-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            .: {}
            'k:{"name":"containerd-socket"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"lib-modules"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"rulesfiles-install-dir"}':
              .: {}
              'f:emptyDir': {}
              'f:name': {}
            'k:{"name":"debugfs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"docker-socket"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"proc-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"falcoctl-config-volume"}':
              .: {}
              'f:configMap':
                .: {}
                'f:defaultMode': {}
                'f:items': {}
                'f:name': {}
              'f:name': {}
            'k:{"name":"root-falco-fs"}':
              .: {}
              'f:emptyDir': {}
              'f:name': {}
            'k:{"name":"boot-fs"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
            'k:{"name":"falco-yaml"}':
              .: {}
              'f:configMap':
                .: {}
                'f:defaultMode': {}
                'f:items': {}
                'f:name': {}
              'f:name': {}
            'k:{"name":"crio-socket"}':
              .: {}
              'f:hostPath':
                .: {}
                'f:path': {}
                'f:type': {}
              'f:name': {}
          'f:containers':
            'k:{"name":"falco"}':
              'f:image': {}
              'f:volumeMounts':
                'k:{"mountPath":"/host/var/run/docker.sock"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/root/.falco"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/sys/kernel/debug"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/proc"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/etc/falco/falco.yaml"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:subPath': {}
                .: {}
                'k:{"mountPath":"/etc/falco"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/run/containerd/containerd.sock"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/run/crio/crio.sock"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources':
                .: {}
                'f:limits':
                  .: {}
                  'f:cpu': {}
                  'f:memory': {}
                'f:requests':
                  .: {}
                  'f:cpu': {}
                  'f:memory': {}
              'f:args': {}
              'f:livenessProbe':
                .: {}
                'f:failureThreshold': {}
                'f:httpGet':
                  .: {}
                  'f:path': {}
                  'f:port': {}
                  'f:scheme': {}
                'f:initialDelaySeconds': {}
                'f:periodSeconds': {}
                'f:successThreshold': {}
                'f:timeoutSeconds': {}
              'f:env':
                .: {}
                'k:{"name":"FALCO_BPF_PROBE"}':
                  .: {}
                  'f:name': {}
                'k:{"name":"FALCO_K8S_NODE_NAME"}':
                  .: {}
                  'f:name': {}
                  'f:valueFrom':
                    .: {}
                    'f:fieldRef': {}
              'f:readinessProbe':
                .: {}
                'f:failureThreshold': {}
                'f:httpGet':
                  .: {}
                  'f:path': {}
                  'f:port': {}
                  'f:scheme': {}
                'f:initialDelaySeconds': {}
                'f:periodSeconds': {}
                'f:successThreshold': {}
                'f:timeoutSeconds': {}
              'f:securityContext':
                .: {}
                'f:privileged': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
            'k:{"name":"falcoctl-artifact-follow"}':
              'f:image': {}
              'f:volumeMounts':
                .: {}
                'k:{"mountPath":"/etc/falcoctl"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/plugins"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/rulesfiles"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources': {}
              'f:args': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
          'f:dnsPolicy': {}
          'f:tolerations': {}
          'f:serviceAccount': {}
          'f:restartPolicy': {}
          'f:schedulerName': {}
          'f:terminationGracePeriodSeconds': {}
          'f:initContainers':
            .: {}
            'k:{"name":"falco-driver-loader"}':
              'f:image': {}
              'f:volumeMounts':
                .: {}
                'k:{"mountPath":"/host/boot"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/host/etc"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/host/lib/modules"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/host/proc"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/host/usr"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                  'f:readOnly': {}
                'k:{"mountPath":"/root/.falco"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources': {}
              'f:env':
                .: {}
                'k:{"name":"FALCO_BPF_PROBE"}':
                  .: {}
                  'f:name': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
            'k:{"name":"falcoctl-artifact-install"}':
              'f:image': {}
              'f:volumeMounts':
                .: {}
                'k:{"mountPath":"/etc/falcoctl"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/plugins"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
                'k:{"mountPath":"/rulesfiles"}':
                  .: {}
                  'f:mountPath': {}
                  'f:name': {}
              'f:terminationMessagePolicy': {}
              .: {}
              'f:resources': {}
              'f:args': {}
              'f:terminationMessagePath': {}
              'f:imagePullPolicy': {}
              'f:name': {}
          'f:serviceAccountName': {}
          'f:enableServiceLinks': {}
          'f:securityContext': {}
          'f:affinity':
            .: {}
            'f:nodeAffinity':
              .: {}
              'f:requiredDuringSchedulingIgnoredDuringExecution': {}
    - manager: multus
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:37:02Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:k8s.v1.cni.cncf.io/network-status': {}
            'f:k8s.v1.cni.cncf.io/networks-status': {}
      subresource: status
    - manager: kubelet
      operation: Update
      apiVersion: v1
      time: '2023-03-12T17:40:29Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:status':
          'f:conditions':
            'k:{"type":"ContainersReady"}':
              .: {}
              'f:lastProbeTime': {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
            'k:{"type":"Initialized"}':
              .: {}
              'f:lastProbeTime': {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
            'k:{"type":"Ready"}':
              .: {}
              'f:lastProbeTime': {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
          'f:containerStatuses': {}
          'f:hostIP': {}
          'f:initContainerStatuses': {}
          'f:podIP': {}
          'f:podIPs':
            .: {}
            'k:{"ip":"10.128.1.66"}':
              .: {}
              'f:ip': {}
          'f:startTime': {}
      subresource: status
  namespace: stakater-falco
  ownerReferences:
    - apiVersion: apps/v1
      kind: DaemonSet
      name: falco
      uid: d8b701af-ef38-4a86-a4be-4f2994e2bd2f
      controller: true
      blockOwnerDeletion: true
  labels:
    app.kubernetes.io/instance: falco
    app.kubernetes.io/name: falco
    controller-revision-hash: 86b4465658
    pod-template-generation: '1'
spec:
  restartPolicy: Always
  initContainers:
    - name: falco-driver-loader
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      env:
        - name: FALCO_BPF_PROBE
      resources: {}
      volumeMounts:
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          readOnly: true
          mountPath: /host/proc
        - name: boot-fs
          readOnly: true
          mountPath: /host/boot
        - name: lib-modules
          mountPath: /host/lib/modules
        - name: usr-fs
          readOnly: true
          mountPath: /host/usr
        - name: etc-fs
          readOnly: true
          mountPath: /host/etc
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
    - name: falcoctl-artifact-install
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - install
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
  serviceAccountName: falco
  priority: 0
  schedulerName: default-scheduler
  enableServiceLinks: true
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchFields:
              - key: metadata.name
                operator: In
                values:
                  - 00-0c-29-0e-55-ce
  terminationGracePeriodSeconds: 30
  preemptionPolicy: PreemptLowerPriority
  nodeName: 00-0c-29-0e-55-ce
  securityContext: {}
  containers:
    - resources:
        limits:
          cpu: '1'
          memory: 1Gi
        requests:
          cpu: 100m
          memory: 512Mi
      readinessProbe:
        httpGet:
          path: /healthz
          port: 8765
          scheme: HTTP
        initialDelaySeconds: 30
        timeoutSeconds: 5
        periodSeconds: 15
        successThreshold: 1
        failureThreshold: 3
      terminationMessagePath: /dev/termination-log
      name: falco
      livenessProbe:
        httpGet:
          path: /healthz
          port: 8765
          scheme: HTTP
        initialDelaySeconds: 60
        timeoutSeconds: 5
        periodSeconds: 15
        successThreshold: 1
        failureThreshold: 3
      env:
        - name: FALCO_K8S_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: FALCO_BPF_PROBE
      securityContext:
        privileged: true
      imagePullPolicy: IfNotPresent
      volumeMounts:
        - name: rulesfiles-install-dir
          mountPath: /etc/falco
        - name: root-falco-fs
          mountPath: /root/.falco
        - name: proc-fs
          mountPath: /host/proc
        - name: debugfs
          mountPath: /sys/kernel/debug
        - name: docker-socket
          mountPath: /host/var/run/docker.sock
        - name: containerd-socket
          mountPath: /host/run/containerd/containerd.sock
        - name: crio-socket
          mountPath: /host/run/crio/crio.sock
        - name: falco-yaml
          mountPath: /etc/falco/falco.yaml
          subPath: falco.yaml
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePolicy: File
      image: 'docker.io/falcosecurity/falco-no-driver:0.34.1'
      args:
        - /usr/bin/falco
        - '--cri'
        - /run/containerd/containerd.sock
        - '--cri'
        - /run/crio/crio.sock
        - '-K'
        - /var/run/secrets/kubernetes.io/serviceaccount/token
        - '-k'
        - 'https://$(KUBERNETES_SERVICE_HOST)'
        - '--k8s-node'
        - $(FALCO_K8S_NODE_NAME)
        - '-pk'
    - name: falcoctl-artifact-follow
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      args:
        - artifact
        - follow
        - '--verbose'
      resources: {}
      volumeMounts:
        - name: plugins-install-dir
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /rulesfiles
        - name: falcoctl-config-volume
          mountPath: /etc/falcoctl
        - name: kube-api-access-f7p5x
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
  serviceAccount: falco
  volumes:
    - name: plugins-install-dir
      emptyDir: {}
    - name: rulesfiles-install-dir
      emptyDir: {}
    - name: root-falco-fs
      emptyDir: {}
    - name: boot-fs
      hostPath:
        path: /boot
        type: ''
    - name: lib-modules
      hostPath:
        path: /lib/modules
        type: ''
    - name: usr-fs
      hostPath:
        path: /usr
        type: ''
    - name: etc-fs
      hostPath:
        path: /etc
        type: ''
    - name: debugfs
      hostPath:
        path: /sys/kernel/debug
        type: ''
    - name: docker-socket
      hostPath:
        path: /var/run/docker.sock
        type: ''
    - name: containerd-socket
      hostPath:
        path: /run/containerd/containerd.sock
        type: ''
    - name: crio-socket
      hostPath:
        path: /run/crio/crio.sock
        type: ''
    - name: proc-fs
      hostPath:
        path: /proc
        type: ''
    - name: falcoctl-config-volume
      configMap:
        name: falco-falcoctl
        items:
          - key: falcoctl.yaml
            path: falcoctl.yaml
        defaultMode: 420
    - name: falco-yaml
      configMap:
        name: falco
        items:
          - key: falco.yaml
            path: falco.yaml
        defaultMode: 420
    - name: kube-api-access-f7p5x
      projected:
        sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              name: kube-root-ca.crt
              items:
                - key: ca.crt
                  path: ca.crt
          - downwardAPI:
              items:
                - path: namespace
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
          - configMap:
              name: openshift-service-ca.crt
              items:
                - key: service-ca.crt
                  path: service-ca.crt
        defaultMode: 420
  dnsPolicy: ClusterFirst
  tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    - key: node.kubernetes.io/not-ready
      operator: Exists
      effect: NoExecute
    - key: node.kubernetes.io/unreachable
      operator: Exists
      effect: NoExecute
    - key: node.kubernetes.io/disk-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/memory-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/pid-pressure
      operator: Exists
      effect: NoSchedule
    - key: node.kubernetes.io/unschedulable
      operator: Exists
      effect: NoSchedule
status:
  containerStatuses:
    - name: falco
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falco-no-driver:0.34.1'
      imageID: ''
      started: false
    - name: falcoctl-artifact-follow
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      imageID: ''
      started: false
  qosClass: Burstable
  podIPs:
    - ip: 10.128.1.66
  podIP: 10.128.1.66
  hostIP: 10.10.1.119
  startTime: '2023-03-12T17:37:00Z'
  initContainerStatuses:
    - name: falco-driver-loader
      state:
        waiting:
          reason: CrashLoopBackOff
          message: >-
            back-off 2m40s restarting failed container=falco-driver-loader
            pod=falco-gj6sm_stakater-falco(b7a071e5-c92a-47cf-9778-b240ef300f23)
      lastState:
        terminated:
          exitCode: 1
          reason: Error
          startedAt: '2023-03-12T17:40:12Z'
          finishedAt: '2023-03-12T17:40:13Z'
          containerID: >-
            cri-o://19cebd2aff47e86d223691d979aaaadf1f37bb52ba271a28896814d175b0076d
      ready: false
      restartCount: 5
      image: 'docker.io/falcosecurity/falco-driver-loader:0.34.1'
      imageID: >-
        docker.io/falcosecurity/falco-driver-loader@sha256:1bcd4984b3748af1a48c585fb3ee94953a4f2a7ece0750895ad6c28355532d45
      containerID: 'cri-o://19cebd2aff47e86d223691d979aaaadf1f37bb52ba271a28896814d175b0076d'
    - name: falcoctl-artifact-install
      state:
        waiting:
          reason: PodInitializing
      lastState: {}
      ready: false
      restartCount: 0
      image: 'docker.io/falcosecurity/falcoctl:0.4.0'
      imageID: ''
  conditions:
    - type: Initialized
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
      reason: ContainersNotInitialized
      message: >-
        containers with incomplete status: [falco-driver-loader
        falcoctl-artifact-install]
    - type: Ready
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
      reason: ContainersNotReady
      message: 'containers with unready status: [falco falcoctl-artifact-follow]'
    - type: ContainersReady
      status: 'False'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
      reason: ContainersNotReady
      message: 'containers with unready status: [falco falcoctl-artifact-follow]'
    - type: PodScheduled
      status: 'True'
      lastProbeTime: null
      lastTransitionTime: '2023-03-12T17:37:00Z'
  phase: Pending