Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom talon rules not working #491

Open
leofvo opened this issue Oct 15, 2024 · 4 comments
Open

Custom talon rules not working #491

leofvo opened this issue Oct 15, 2024 · 4 comments
Assignees
Labels
Milestone

Comments

@leofvo
Copy link

leofvo commented Oct 15, 2024

Hello,

I'm trying to POC falco and talon on local environment and I can't figure out how to custom talon rules.
You can find the whole code used here

Following the README and the Falco part only (on my projet), I set up Falco, falco-sidekick and falco-talon.
All working, except when I try to make custom rules for talon. It seems that if I overwrite this part:

# -- config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/)
config:
  # -- list of locale rules to load, they will be concatenated into a single config map
  rulesFiles:
    - rules/talon.yaml

The rules aren't loaded anymore, and my custom rules aren't loaded, too.
The configmap created is empty as follows:

k describe configmap -n falco falco-talon-rules                                              
Name:         falco-talon-rules
Namespace:    falco
Labels:       app.kubernetes.io/instance=falco-talon
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=falco-talon
              app.kubernetes.io/part-of=falco-talon
              app.kubernetes.io/version=0.1.1
              helm.sh/chart=falco-talon-0.1.2
Annotations:  meta.helm.sh/release-name: falco-talon
              meta.helm.sh/release-namespace: falco

Data
====
rules.yaml:
----


BinaryData
====

I think this is a helm chart issues that the path used to get the file content isn't relative or something like that.
How can I handle that ?

@Issif
Copy link
Member

Issif commented Oct 15, 2024

Hi,

This is a limitation I also noticed, and I'm working on a fix. For now, the listed rules files must be in the same folder as the values.yaml and only relative paths must be used (ie: no path and just the file name). Sorry for that, the helm features to manage files are not really great and all my devs have been made with local files, this is why I noticed this issue lately.

@leofvo
Copy link
Author

leofvo commented Oct 15, 2024

Yeah, here is what I understood reading the configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "falco-talon.name" . }}-rules
  labels:
    {{- include "falco-talon.labels" . | nindent 4 }}
data:
  rules.yaml: |-
{{- range $file := .Values.config.rulesFiles -}}
{{ $fileContent := $.Files.Get . }}
{{- $fileContent | nindent 4 -}}
{{- end -}}

$.Files.Get is used to retrieve the content of a file from the chart.

So if we provide a file not directly included in the chart, the helm function isn't reading the content...

Maybe we should allow user to pass rules directly from the chart, like falco is doing (cf: https://falco.org/docs/rules/custom-ruleset/)
By adding a field like:

customRules:
  talon-rules.yaml: |-
    - rule: Example rule
      desc: ...

I would be excited to contribute to the project and implement this if you're agreeing.

Otherwise, I think a better way to improve the rules customization could be by adding rules via CRDs, like Kyverno does. But this seems to be harder to implement.

@Issif
Copy link
Member

Issif commented Oct 15, 2024

Your contribution will be welcome for sure, just take care, the official chart is https://github.com/falcosecurity/charts/tree/master/charts/falco-talon, the chart included in this repo will be removed soon.

For the operator, it's already a WIP, with @alacuku we'll work on an operator to manage falco, its plugins and rules, but also the integrations with falcosidekick and the reactions with talon, all in a consistent way.

@leofvo
Copy link
Author

leofvo commented Oct 15, 2024

I proposed a fix and some improvements 🚀
Thanks for your help!

@Issif Issif self-assigned this Oct 16, 2024
@Issif Issif added this to the v0.2.0 milestone Oct 16, 2024
@Issif Issif modified the milestones: v0.2.0, v0.x Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants