63 lines
1.9 KiB
YAML
63 lines
1.9 KiB
YAML
# Enable the driver, and choose between the kernel module or the ebpf probe.
|
|
# Default value: kernel module.
|
|
driver:
|
|
enabled: true
|
|
kind: module
|
|
|
|
# Enable the collectors used to enrich the events with metadata.
|
|
# Check the values.yaml file for fine-grained options.
|
|
collectors:
|
|
enabled: true
|
|
|
|
# We set the controller to daemonset since we have the syscalls source enabled.
|
|
# It will ensure that every node on our cluster will be monitored by Falco.
|
|
# Please note that the api-server will use the "k8saudit-webhook" service to send
|
|
# audit logs to the falco instances. That means that when we have multiple instances of Falco
|
|
# we can not predict to which instance the audit logs will be sent. When testing please check all
|
|
# the Falco instance to make sure that at least one of them have received the audit logs.
|
|
controller:
|
|
kind: daemonset
|
|
|
|
falcoctl:
|
|
artifact:
|
|
install:
|
|
# -- Enable the init container.
|
|
enabled: true
|
|
follow:
|
|
# -- Enable the sidecar container.
|
|
enabled: true
|
|
config:
|
|
artifact:
|
|
install:
|
|
# -- List of artifacts to be installed by the falcoctl init container.
|
|
refs: [falco-rules:3, k8saudit-rules:0.7]
|
|
follow:
|
|
# -- List of artifacts to be followed by the falcoctl sidecar container.
|
|
refs: [falco-rules:3, k8saudit-rules:0.7]
|
|
|
|
services:
|
|
- name: k8saudit-webhook
|
|
type: NodePort
|
|
ports:
|
|
- port: 9765 # See plugin open_params
|
|
nodePort: 30007
|
|
protocol: TCP
|
|
|
|
falco:
|
|
rules_file:
|
|
- /etc/falco/falco_rules.yaml
|
|
- /etc/falco/k8s_audit_rules.yaml
|
|
- /etc/falco/rules.d
|
|
plugins:
|
|
- name: k8saudit
|
|
library_path: libk8saudit.so
|
|
init_config:
|
|
""
|
|
# maxEventBytes: 1048576
|
|
# sslCertificate: /etc/falco/falco.pem
|
|
open_params: "http://:9765/k8s-audit"
|
|
- name: json
|
|
library_path: libjson.so
|
|
init_config: ""
|
|
load_plugins: [k8saudit, json]
|