# Enable the driver, and choose between the kernel module or the ebpf probe.
# Default value: kernel module.
driver:
  enabled: true
  kind: module

# Enable the collectors used to enrich the events with metadata.
# Check the values.yaml file for fine-grained options.
collectors:
  enabled: true

# We set the controller to daemonset since we have the syscalls source enabled.
# It will ensure that every node on our cluster will be monitored by Falco.
# Please note that the api-server will use the "k8saudit-webhook" service to send
# audit logs to the falco instances. That means that when we have multiple instances of Falco
# we can not predict to which instance the audit logs will be sent. When testing please check all
# the Falco instance to make sure that at least one of them have received the audit logs.
controller:
  kind: daemonset

falcoctl:
  artifact:
    install:
      # -- Enable the init container.
      enabled: true
    follow:
      # -- Enable the sidecar container.
      enabled: true
  config:
    artifact:
      install:
        # -- List of artifacts to be installed by the falcoctl init container.
        refs: [falco-rules:3, k8saudit-rules:0.7]
      follow:
        # -- List of artifacts to be followed by the falcoctl sidecar container.
        refs: [falco-rules:3, k8saudit-rules:0.7]

services:
  - name: k8saudit-webhook
    type: NodePort
    ports:
      - port: 9765 # See plugin open_params
        nodePort: 30007
        protocol: TCP

falco:
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
        ""
        # maxEventBytes: 1048576
        # sslCertificate: /etc/falco/falco.pem
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""
  load_plugins: [k8saudit, json]