Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apps: upgrade falco chart and rework exceptions #1843

Merged
merged 5 commits into from
Nov 7, 2023
Merged

apps: upgrade falco chart and rework exceptions #1843

merged 5 commits into from
Nov 7, 2023

Conversation

Eliastisys
Copy link
Contributor

@Eliastisys Eliastisys commented Oct 26, 2023
edited
Loading

Warning

This is public repository, ensure not to disclose:

  • personal data beyond what is necessary for interacting with this pull request
  • business confidential information, such as customer names

What kind of PR is this?

Required: Mark one of the following that is applicable:

  • kind/feature
  • kind/improvement
  • kind/deprecation
  • kind/documentation
  • kind/clean-up
  • kind/bug
  • kind/other

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

  • kind/admin-change
  • kind/dev-change
  • kind/security
  • kind/adr

What does this PR do / why do we need this PR?

Which issue this PR fixes: fixes #1807

Upgrades falcosecurity/falco to 3.8.3 with app version 0.36.1.
Upgrades falcosecurity/falco-exporter to 0.9.7.
Adds an option to enable/disable upstream rule files in apps config.
Tests falco on compliant with all AMS installed.
Filters out false positives with exceptions while default, sandbox and incubating rules are enabled.

Platform Administrator notice

  • Disables falco incubating and sandbox rules.

Checklist

  • I checked the migration of the new Chart:
    • I upgraded a Chart and determined that no migration steps are needed.
    • I upgraded a Chart and added migration steps.
  • I tested the functionality provided by the new Chart (e.g., Auth flow, Grafana dashboards, etc.)
  • New issues are created to add more rules back into the platform.

Note!

New issues should be created to add more rules back into our platform before this is merged.

@Eliastisys Eliastisys force-pushed the andre-elias/upgrade-falco-chart branch from 5dc8cd3 to afb76b7 Compare October 26, 2023 14:51
@LundqvistAndre LundqvistAndre force-pushed the andre-elias/upgrade-falco-chart branch 3 times, most recently from 83b8c24 to 0957947 Compare October 27, 2023 14:01
update: remove irrelevant rules, add exceptions
5c253a5 
Remove old irrelevant rule/exceptions not applicable for old falco version.
Add/keep relevant rules for the new falco version.
viktor-f
viktor-f reviewed Oct 30, 2023
View reviewed changes
Copy link
Contributor

@viktor-f viktor-f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which rules are included with this? Is it everything in the default rules file but nothing from the incubating or sandbox files? Please note this in the PR message as well so that it will be part of the changelog.

helmfile/values/falco/falco-common.yaml.gotmpl Show resolved Hide resolved
@Eliastisys
Copy link
Contributor Author

Which rules are included with this? Is it everything in the default rules file but nothing from the incubating or sandbox files? Please note this in the PR message as well so that it will be part of the changelog.

Only default rules are used. Noted in PR message. @viktor-f

update: Add sandbox and incubating rules
83a1927 
Enable upstream sandbox and incubating rules.
Add the option to enable/disable/tag upstream rule files in common-config.
Additonally add exceptions for the most spammy rules from the upstream rule files.
viktor-f
viktor-f reviewed Oct 31, 2023
View reviewed changes
Copy link
Contributor

@viktor-f viktor-f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good.
Since this disables the incubating and sandbox rules (that previously were enabled as part of the old single rules file), I think that should be noted in the PR and it should be noted as a release note or admin-change.

config/config/common-config.yaml Outdated Show resolved Hide resolved
@viktor-f
Copy link
Contributor

viktor-f commented Nov 2, 2023

You should add the release note or admin change in the PR description instead (there are some headers that you can uncomment from the template) and you can remove the text in the wip-changelog (that files is deprecated).

@Eliastisys Eliastisys force-pushed the andre-elias/upgrade-falco-chart branch from 82da963 to bc0c151 Compare November 2, 2023 14:00
@Eliastisys
Copy link
Contributor Author

You should add the release note or admin change in the PR description instead (there are some headers that you can uncomment from the template) and you can remove the text in the wip-changelog (that files is deprecated).

@viktor-f Does it look ok now?

viktor-f
viktor-f approved these changes Nov 3, 2023
View reviewed changes
Copy link
Contributor

@viktor-f viktor-f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (note that I have not tested it)

@Eliastisys Eliastisys changed the title Andre-elias/upgrade falco chart apps: upgrade falco chart and rework exceptions Nov 6, 2023
apps: Add more exceptions
1b374ec 
During prolonged running, more alerts were observed.
Add exceptions for the observed alerts
@LundqvistAndre LundqvistAndre merged commit 94ab664 into main Nov 7, 2023
15 checks passed
@LundqvistAndre LundqvistAndre deleted the andre-elias/upgrade-falco-chart branch November 7, 2023 08:20
@anders-elastisys anders-elastisys mentioned this pull request Jan 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LundqvistAndre LundqvistAndre LundqvistAndre left review comments

@Pavan-Gunda Pavan-Gunda Pavan-Gunda approved these changes

@viktor-f viktor-f viktor-f approved these changes

@raviranjanelastisys raviranjanelastisys Awaiting requested review from raviranjanelastisys

Assignees

@LundqvistAndre LundqvistAndre

@Eliastisys Eliastisys

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrade falco chart to v3.7 and app to v0.36
4 participants
@Eliastisys @viktor-f @Pavan-Gunda @LundqvistAndre