# Change Log This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). ## v4.2.5 * fix docs ## v4.2.4 * bump falcosidekick dependency version to v0.7.15 install latest version through falco chart ## v4.2.3 * fix(falco/helpers): adjust formatting to be compatible with older helm versions ## v4.2.2 * fix(falco/README): dead link ## v4.2.1 * fix(falco/README): typos, formatting and broken links ## v4.2.0 * Bump falco to v0.37.1 and falcoctl to v0.7.2 ## v4.1.2 * Fix links in output after falco install without sidekick ## v4.1.1 * Update README.md. ## v4.1.0 * Reintroduce the service account. ## v4.0.0 The new chart introduces some breaking changes. For folks upgrading Falco please see the BREAKING-CHANGES.md file. * Uniform driver names and configuration to the Falco one: https://github.com/falcosecurity/falco/pull/2413; * Fix usernames and groupnames resolution by mounting the `/etc` filesystem; * Drop old kubernetes collector related resources; * Introduce the new k8s-metacollector and k8smeta plugin (experimental); * Enable the dependency resolver for artifacts in falcoctl since the Falco image does not ship anymore the plugins; * Bump Falco to 0.37.0; * Bump falcoctl to 0.7.0. ## v3.8.7 * Upgrade falcosidekick chart to `v0.7.11`. ## v3.8.6 * no changes to the chart itself. Updated README.md and makefile. ## v3.8.5 * Add mTLS cryptographic material load via Helm for Falco ## v3.8.4 * Upgrade Falco to 0.36.2: https://github.com/falcosecurity/falco/releases/tag/0.36.2 ## v3.8.3 * Upgrade falcosidekick chart to `v0.7.7`. ## v3.8.2 * Upgrade falcosidekick chart to `v0.7.6`. ## v3.8.1 * noop change just to test the ci ## v3.8.0 * Upgrade Falco to 0.36.1: https://github.com/falcosecurity/falco/releases/tag/0.36.1 * Sync values.yaml with 0.36.1 falco.yaml config file. ## v3.7.1 * Update readme ## v3.7.0 * Upgrade Falco to 0.36. https://github.com/falcosecurity/falco/releases/tag/0.36.0 * Sync values.yaml with upstream falco.yaml config file. * Upgrade falcoctl to 0.6.2. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.6.2 ## v3.6.2 * Cleanup wrong files ## v3.6.1 * Upgrade falcosidekick chart to `v0.7.1`. ## v3.6.0 * Add `outputs` field to falco configuration ## v3.5.0 ## Major Changes * Support configuration of revisionHistoryLimit of the deployment ## v3.4.1 * Upgrade falcosidekick chart to `v0.6.3`. ## v3.4.0 * Introduce an ability to use an additional volumeMounts for `falcoctl-artifact-install` and `falcoctl-artifact-follow` containers. ## v3.3.1 * No changes made to the falco chart, only some fixes in the makefile ## v3.3.0 * Upgrade Falco to 0.35.1. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.1 * Upgrade falcoctl to 0.5.1. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.1 * Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 ## v3.2.1 * Set falco.http_output.url to empty string in values.yaml file ## v3.2.0 * Upgrade Falco to 0.35.0. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.0 * Sync values.yaml with upstream falco.yaml config file. * Upgrade falcoctl to 0.5.0. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.0 * The tag used to install and follow the falco rules is `1` * The tag used to install and follow the k8saudit rules is `0.6` ## v3.1.5 * Use list as default for env parameter of init and follow containers ## v3.1.4 * Fix typo in values-k8audit file ## v3.1.3 * Updates the grpc-service to use the correct label selector ## v3.1.2 * Bump `falcosidekick` dependency to 0.6.1 ## v3.1.1 * Update `k8saudit` section in README.md file. ## v3.1.0 * Upgrade Falco to 0.34.1 ## v3.0.0 * Drop support for falcosecuriy/falco image, only the init container approach is supported out of the box; * Simplify the driver-loader init container logic; * Support **falcoctl** tool in the chart: * Install the *rulesfile* artifacts; * Follow the *rulesfile* artifacts in order to have the latest rules once they are released from falcosecurity org; * Support the **modern-bpf** probe a new driver (experimental) * Add a new file *BREAKING_CHANGES.md* to document the breaking changes and how to update the new chart. ## v2.5.5 * Bump `falcosidekick` dependency to 0.5.16 ## v2.5.4 * Fix incorrect entry in v2.5.2 changelog ## v2.5.3 * Bump `falcosidekick` dependency to 0.5.14 ## v2.5.2 * Fixed notes template to only include daemon set info if set to daemon set ## v2.5.1 * Update README to clarify driver behavior for chart ## v2.5.0 * Support custom dictionaries when setting environment variables Note: this is a breaking change. If you were passing _objects_ to `extra.env` or `driver.loader.initContainer.env` , you will need to update your values file to pass _lists_. ## v2.4.7 * Add `controller.annotations` configuration ## v2.4.6 * Bump `falcosidekick` dependency to 0.5.11 ## v2.4.5 * Bump `falcosidekick` dependency to 0.5.10 ## v2.4.4 * Update README for gRPC ## v2.4.3 * Update README for gVisor and GKE ## v2.4.2 * Add toleration for node-role.kubernetes.io/control-plane ## v2.4.1 * Fixed error in values.yaml comments ## v2.4.0 * Add support for Falco+gVisor * Add new preset `values.yaml `file for gVisor-enabled GKE clusters ## v2.3.1 * Fixed incorrect spelling of `been` ## v2.3.0 * Add variable namespaceOverride to allow setting release namespace in values ## v2.2.0 * Change the grpc socket path from `unix:///var/run/falco/falco.soc` to `unix:///run/falco/falco.sock`. Please note that this change is potentially a breaking change if upgrading falco from a previous version and you have external consumers of the grpc socket. ## v2.1.0 * Bump Falco to 0.33.0 * Implicitly disable `syscall` source when not required * Update `values.yaml` to reflect the new configuration options in Falco 0.33.0 * Mount `/sys/module/falco` when deployed using the `kernel module` * Update rulesets for falco and plugins ## v2.0.18 * Bump `falcosidekick` dependency to 0.5.9 ## v2.0.17 * Fix: remove `namespace` from `clusterrole` and `clusterrolebinding` metadata ## v2.0.16 * Allow setting `resources` and `securityContext` on the `falco-driver-loader` init container ## v2.0.15 * Allow passing args to the `falco-driver-loader` init container ## v2.0.14 * Fix debugfs mount when `falco-no-driver` image and ebpf driver is used ## v2.0.13 * Upgrade Falco to 0.32.2 ## v2.0.12 * Fully disable the driver when running in CI ## v2.0.11 * Correct CI values. ## v2.0.10 * Fix name of the falco certs secret. ## v2.0.9 * Fix the `certs-secret.yaml` template by correctly pointing to the root context when using the helpers. ## v2.0.8 * When using ebpf probe Falco is deployed in `privileged` mode instead of `least privileged`. ## v2.0.7 * Fix templating for priorityClassName in pod-template.tpl ## v2.0.6 * Add ability to enable `tty` for the falco container. Needed to force falco logs to be immediately displayed as they are emitted. Useful in test/debug scenarios. ## v2.0.5 * Mount `/proc` only when syscall data source is enabled (default). This behaviour can be overridden via `mounts.enforceProcMount` for edge cases where the `/proc` `hostPath` mount is required without having the syscall data source enabled at the same time. ## v2.0.4 * Fix templating for init containers in pod-template.tpl ## v2.0.3 * Add ability to specify extra environment variables to driver loader initContainer ## v2.0.2 update(falco/OWNERS): move inactive approvers to emeritus_approvers ## v2.0.1 * Add description for configuration variable in values.yaml * Add linting target in Makefile * Remove configuration values table from README.md * Fix section titles in README.md ## v2.0.0 **Note** *This release is a complete refactor of the Falco Helm Chart. Thus, it introduces some breaking changes.* *Please, do not reuse values from previous chart installations.* * Upgrade Falco to 0.32.1 * Massive refactoring of the chart implementation * Add ability to use either a daemonset or a deployment (depending on the installation scenario) * Add ability to specify custom network services * New settings for the drivers configuration * New Makefile to generate helm documentation * Add values-k8saudit.yaml preset for the k8saudit plugin * Fix use `load_plugins` instead of `loadPlugins` in Falco configuration * Update `containerSecurityContext` (former `securityContext`) now takes precedence over auto configs * Move `leastPriviledged` mode under eBPF and add missing `SYS_PTRACE` cap * Update group values for metadata collection under "collectors" * Remove several settings in favour of `extra.env` * Use chart `appVersion` as default image tag * Move setting from `image.pullSecrets` to `imagePullSecrets` * Add an option to set desidered replicas * Improve selector labels * Modernize labels and improve internal helpers * Deprecate PSP (template removed) * Fake event generator removed from this chart ## v1.19.4 * Bump Falco Sidekick dependency. ## v1.19.3 * Add `watchConfigFiles` value to falco README ## v1.19.2 * Bump Falco Sidekick dependency. * Add support for DaemonSet podSecurityContext and securityContext. ## v1.19.1 * Fix the changelog for 1.19.0 ## v1.19.0 * Upgrade to Falco 0.32.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.32.0/CHANGELOG.md)) * Various Falco config settings were updated for Falco 0.32.0 ### Breaking Changes * Audit Log is now supported via k8saudit plugin (when enabled, syscall instrumentation will be disabled) * dynamicBackend support for Audit Log is now deprecated ## v1.18.6 * Bump falcosidekick chart dependency (fix issue with the UI) ## v1.18.5 * Bump falcosidekick chart dependency ## v1.18.4 * Now the url to falcosidekick on NOTES.txt on falco helm chart points to the right place. ## v1.18.3 * Fix for [issue 318](https://github.com/falcosecurity/charts/issues/318) - Missing comma in k8s_audit_rules.yaml. ## v1.18.2 * Further fix for `--reuse-values` option after the introduction of `crio.enabled`. ## v1.18.1 * Workaround to make this chart work with Helm `--reuse-values` option after the introduction of `crio.enabled`. ## v1.18.0 * Added support for cri-o ## v1.17.6 Remove whitespace around `falco.httpOutput.url` to fix the error `libcurl error: URL using bad/illegal format or missing URL`. ## v1.17.5 * Changed `falco.httpOutput.url` so that it always overrides the default URL, even when falcosidekick is enabled. (NOTE: don't use this version, see v1.17.6) ## v1.17.4 * Upgrade to Falco 0.31.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.31.1/CHANGELOG.md)) * Update rulesets from Falco 0.31.1 ## v1.17.3 * Fix quoting around `--k8s-node` ## v1.17.2 * Add `leastPrivileged.enabled` configuration ## v1.17.1 * Fixed `priority` level `info` change to `informational` ## v1.17.0 * Upgrade to Falco 0.31.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.31.0/CHANGELOG.md)) * Update rulesets from Falco 0.31.0 * Update several configuration options under the `falco` node to reflect the new Falco version * Initial plugins support ## v1.16.4 * Bump falcosidekick chart dependency ## v1.16.2 * Add `serviceAccount.annotations` configuration ## v1.16.1 * Fixed string escaping for `--k8s-node` ## v1.16.0 * Upgrade to Falco 0.30.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.30.0/CHANGELOG.md)) * Update rulesets from Falco 0.30.0 * Add `kubernetesSupport.enableNodeFilter` configuration to enable node filtering when requesting pods metadata from Kubernetes * Add `falco.metadataDownload` configuration for fine-tuning container orchestrator metadata fetching params * Add `falco.jsonIncludeTagsProperty` configuration to include tags in the JSON output ## v1.15.7 * Removed `maxSurge` reference from comment in Falco's `values.yaml` file. ## v1.15.6 * Update `Falcosidekick` chart to 0.3.13 ## v1.15.4 * Update `Falcosidekick` chart to 0.3.12 ## v1.15.3 * Upgrade to Falco 0.29.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.29.1/CHANGELOG.md)) * Update rulesets from Falco 0.29.1 ## v1.15.2 * Add ability to use an existing secret of key, cert, ca as well as pem bundle instead of creating it from files ## v1.15.1 * Fixed liveness and readiness probes schema when ssl is enabled ## v1.14.1 * Update `Falcosidekick` chart to 0.3.8 ## v1.14.1 * Update image tag to 0.29.0 in values.yaml ## v1.14.0 * Upgrade to Falco 0.29.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.29.0/CHANGELOG.md)) * Update rulesets from Falco 0.29.0 ## v1.13.2 * Fixed incorrect spelling of `fullfqdn` ## v1.13.1 * Fix port for readinessProbe and livenessProbe ## v1.13.0 * Add liveness and readiness probes to Falco ## v1.12.0 * Add `kubernetesSupport` configuration to make Kubernetes Falco support optional in the daemonset (enabled by default) ## v1.11.1 * Upgrade to Falco 0.28.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.28.1/CHANGELOG.md)) ## v1.11.0 * Bump up version of chart for `Falcosidekick` dependency to `v3.5.0` ## v1.10.0 * Add `falcosidekick.fullfqdn` option to connect `falco` to `falcosidekick` with full FQDN * Bump up version of chart for `Falcosidekick` dependency ## v1.9.0 * Upgrade to Falco 0.28.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.28.0/CHANGELOG.md)) * Update rulesets from Falco 0.28.0 ## v1.8.1 * Bump up version of chart for `Falcosidekick` dependency ## v1.8.0 * Bump up version of chart for `Falcosidekick` dependency ## v1.7.10 * Update rule `Write below monitored dir` description ## v1.7.9 * Add a documentation section about the driver ## v1.7.8 * Increase CPU limit default value ## v1.7.7 * Add a documentation section about using init containers ## v1.7.6 * Correct icon URL ## v1.7.5 * Update downstream sidekick chart ## v1.7.4 * Add `ebpf.probe.path` configuration option ## v1.7.3 * Bump up version of chart for `Falcosidekick` dependency ## v1.7.2 * Fix `falco` configmap when `Falcosidekick` is enabled, wrong service name was used ## v1.7.1 * Correct image tag for Falco 0.27.0 ## v1.7.0 * Upgrade to Falco 0.27.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.27.0/CHANGELOG.md)) * Add `falco.output_timeout` configuration setting ## v1.6.1 ### Minor Changes * Add `falcosidekick` as an optional dependency ## v1.6.0 ### Minor Changes * Remove deprecated integrations (see [#123](https://github.com/falcosecurity/charts/issues/123)) ## v1.5.8 ### Minor Changes * Add value `extraVolumes`, allow adding extra volumes to falco daemonset * Add value `extraVolumeMounts`, allow adding extra volumeMounts to falco container in falco daemonset ## v1.5.6 ### Minor Changes * Add `falco.webserver.sslEnabled` config, enabling SSL support * Add `falco.webserver.nodePort` configuration as an alternative way for exposing the AuditLog webhook (disabled by default) ## v1.5.5 ### Minor Changes * Support release namespace configuration ## v1.5.4 ### Minor Changes * Upgrade to Falco 0.26.2, `DRIVERS_REPO` now defaults to https://download.falco.org/?prefix=driver/ (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.26.2/CHANGELOG.md)) ## v1.5.3 ### Minor Changes * Deprecation notice for gcscc, natsOutput, snsOutput, pubsubOutput integrations * Clean up old references from documentation ## v1.5.2 ### Minor Changes * Add Pod Security Policy Support for the fake event generator ## v1.5.1 ### Minor Changes * Replace extensions apiGroup/apiVersion because of deprecation ## v1.5.0 ### Minor Changes * Upgrade to Falco 0.26.1 * Update ruleset from Falco 0.26.1 * Automatically set the appropriate apiVersion for rbac ## v1.4.0 ### Minor Changes * Allow adding InitContainers to Falco pod with `extraInitContainers` configuration ## v1.3.0 ### Minor Changes * Upgrade to Falco 0.25.0 * Update ruleset from Falco 0.25.0 ## v1.2.3 ### Minor Changes * Fix duplicate mount point problem when both gRPC and NATS integrations are enabled ## v1.2.2 ### Minor Changes * Allow configuration using values for `imagePullSecrets` setting * Add `docker.io/falcosecurity/falco` image to `falco_privileged_images` macro ## v1.2.1 ### Minor Changes * Add SecurityContextConstraint to allow deploying in Openshift ## v1.2.0 ### Minor Changes * Upgrade to Falco 0.24.0 * Update ruleset from Falco 0.24.0 * gRPC Unix Socket support * Set default threadiness to 0 ("auto" behavior) for the gRPC server ## v1.1.10 ### Minor Changes * Switch to `falcosecurity/event-generator` * Allow configuration using values for `fakeEventGenerator.args` setting * Update ruleset * New releasing mechanism ## v1.1.9 ### Minor Changes * Add missing privileges for the apps Kubernetes API group * Allow client config url for Audit Sink with `auditLog.dynamicBackend.url` ## v1.1.8 ### Minor Changes * Upgrade to Falco 0.23.0 * Correct socket path for `--cri` flag * Always mount `/etc` (required by `falco-driver-loader`) ## v1.1.7 ### Minor Changes * Add pod annotation support for daemonset ## v1.1.6 ### Minor Changes * Upgrade to Falco 0.21.0 * Upgrade rules to Falco 0.21.0 ## v1.1.5 ### Minor Changes * Add headless service for gRPC server * Allow gRPC certificates configuration by using `--set-file` ## v1.1.4 ### Minor Changes * Make `/lib/modules` writable from the container ## v1.1.3 ### Minor Changes * Allow configuration using values for `grpc` setting * Allow configuration using values for `grpc_output` setting ## v1.1.2 ### Minor Changes * Upgrade to Falco 0.20.0 * Upgrade rules to Falco 0.20.0 ## v1.1.1 ### Minor Changes * Upgrade to Falco 0.19.0 * Upgrade rules to Falco 0.19.0 * Remove Sysdig references, Falco is a project by its own name ## v1.1.0 ### Minor Changes * Revamp auditLog feature * Upgrade to latest version (0.18.0) * Replace CRI references with containerD ## v1.0.12 ### Minor Changes * Support multiple lines for `falco.programOutput.program` ## v1.0.11 ### Minor Changes * Add affinity ## v1.0.10 ### Minor Changes * Migrate API versions from deprecated, removed versions to support Kubernetes v1.16 ## v1.0.9 ### Minor Changes * Restrict the access to `/dev` on underlying host to read only ## v1.0.8 ### Minor Changes * Upgrade to Falco 0.17.1 * Upgrade rules to Falco 0.17.1 ## v1.0.7 ### Minor Changes * Allow configuration using values for `nodeSelector` setting ## v1.0.6 ### Minor Changes * Falco does a rollingUpgrade when the falco or falco-rules configMap changes with a helm upgrade ## v1.0.5 ### Minor Changes * Add 3 resources (`daemonsets`, `deployments`, `replicasets`) to the ClusterRole resource list Ref: [PR#514](https://github.com/falcosecurity/falco/pull/514) from Falco repository ## v1.0.4 ### Minor Changes * Upgrade to Falco 0.17.0 * Upgrade rules to Falco 0.17.0 ## v1.0.3 ### Minor Changes * Support [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/) ## v1.0.2 ### Minor Changes * Upgrade to Falco 0.16.0 * Upgrade rules to Falco 0.16.0 ## v1.0.1 ### Minor Changes * Extra environment variables passed to daemonset pods ## v1.0.0 ### Major Changes * Add support for K8s audit logging ## v0.9.1 ### Minor Changes * Allow configuration using values for `time_format_iso8601` setting * Allow configuration using values for `syscall_event_drops` setting * Allow configuration using values for `http_output` setting * Add CHANGELOG entry for v0.8.0, [not present on its PR](https://github.com/helm/charts/pull/14813#issuecomment-506821432) ## v0.9.0 ### Major Changes * Add nestorsalceda as an approver ## v0.8.0 ### Major Changes * Allow configuration of Pod Security Policy. This is needed to get Falco running when the Admission Controller is enabled. ## v0.7.10 ### Minor Changes * Fix bug with Google Cloud Security Command Center and Falco integration ## v0.7.9 ### Minor Changes * Upgrade to Falco 0.15.3 * Upgrade rules to Falco 0.15.3 ## v0.7.8 ### Minor Changes * Add TZ parameter for time correlation in Falco logs ## v0.7.7 ### Minor Changes * Upgrade to Falco 0.15.1 * Upgrade rules to Falco 0.15.1 ## v0.7.6 ### Major Changes * Allow to enable/disable usage of the docker socket * Configurable docker socket path * CRI support, configurable CRI socket * Allow to enable/disable usage of the CRI socket ## v0.7.5 ### Minor Changes * Upgrade to Falco 0.15.0 * Upgrade rules to Falco 0.15.0 ## v0.7.4 ### Minor Changes * Use the KUBERNETES_SERVICE_HOST environment variable to connect to Kubernetes API instead of using a fixed name ## v0.7.3 ### Minor Changes * Remove the toJson pipeline when storing Google Credentials. It makes strange stuff with double quotes and does not allow to use base64 encoded credentials ## v0.7.2 ### Minor Changes * Fix typos in README.md ## v0.7.1 ### Minor Changes * Add Google Pub/Sub Output integration ## v0.7.0 ### Major Changes * Disable eBPF by default on Falco. We activated eBPF by default to make the CI pass, but now we found a better method to make the CI pass without bothering our users. ## v0.6.0 ### Major Changes * Upgrade to Falco 0.14.0 * Upgrade rules to Falco 0.14.0 * Enable eBPF by default on Falco * Allow to download Falco images from different registries than `docker.io` * Use rollingUpdate strategy by default * Provide sane defauls for falco resource management ## v0.5.6 ### Minor Changes * Allow extra container args ## v0.5.5 ### Minor Changes * Update correct slack example ## v0.5.4 ### Minor Changes * Using Falco version 0.13.0 instead of latest. ## v0.5.3 ### Minor Changes * Update falco_rules.yaml file to use the same rules that Falco 0.13.0 ## v0.5.2 ### Minor Changes * Falco was accepted as a CNCF project. Fix references and download image from falcosecurity organization. ## v0.5.1 ### Minor Changes * Allow falco to resolve cluster hostnames when running with ebpf.hostNetwork: true ## v0.5.0 ### Major Changes * Add Amazon SNS Output integration ## v0.4.0 ### Major Changes * Allow Falco to be run with a HTTP proxy server ## v0.3.1 ### Minor Changes * Mount in memory volume for shm. It was used in volumes but was not mounted. ## v0.3.0 ### Major Changes * Add eBPF support for Falco. Falco can now read events via an eBPF program loaded into the kernel instead of the `falco-probe` kernel module. ## v0.2.1 ### Minor Changes * Update falco_rules.yaml file to use the same rules that Falco 0.11.1 ## v0.2.0 ### Major Changes * Add NATS Output integration ### Minor Changes * Fix value mismatch between code and documentation ## v0.1.1 ### Minor Changes * Fix several typos ## v0.1.0 ### Major Changes * Initial release of Sysdig Falco Helm Chart