-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apps: upgrade falco chart and rework exceptions #1843
Conversation
5dc8cd3
to
afb76b7
Compare
83b8c24
to
0957947
Compare
Remove old irrelevant rule/exceptions not applicable for old falco version. Add/keep relevant rules for the new falco version.
0957947
to
5c253a5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which rules are included with this? Is it everything in the default rules file but nothing from the incubating or sandbox files? Please note this in the PR message as well so that it will be part of the changelog.
Only default rules are used. Noted in PR message. @viktor-f |
28af8b5
to
1b2702d
Compare
Enable upstream sandbox and incubating rules. Add the option to enable/disable/tag upstream rule files in common-config. Additonally add exceptions for the most spammy rules from the upstream rule files.
1b2702d
to
83a1927
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this looks good.
Since this disables the incubating and sandbox rules (that previously were enabled as part of the old single rules file), I think that should be noted in the PR and it should be noted as a release note
or admin-change
.
You should add the release note or admin change in the PR description instead (there are some headers that you can uncomment from the template) and you can remove the text in the wip-changelog (that files is deprecated). |
82da963
to
bc0c151
Compare
@viktor-f Does it look ok now? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (note that I have not tested it)
During prolonged running, more alerts were observed. Add exceptions for the observed alerts
09ddad8
to
1b374ec
Compare
Warning
This is public repository, ensure not to disclose:
What kind of PR is this?
Required: Mark one of the following that is applicable:
Important
Breaking changes should be marked
kind/admin-change
orkind/dev-change
depending on typeCritical security fixes should be marked with
kind/security
What does this PR do / why do we need this PR?
Which issue this PR fixes: fixes #1807
Upgrades falcosecurity/falco to 3.8.3 with app version 0.36.1.
Upgrades falcosecurity/falco-exporter to 0.9.7.
Adds an option to enable/disable upstream rule files in apps config.
Tests falco on compliant with all AMS installed.
Filters out false positives with exceptions while default, sandbox and incubating rules are enabled.
Platform Administrator notice
Checklist
Note!
New issues should be created to add more rules back into our platform before this is merged.