charts
charts copied to clipboard
falcosecurity
Ability to specify arguments for falcosidekick-ui via helm charts
Motivation
falcosidekick-ui offers multiple options like below which can be provided as arguments to executable. These options cannot be used by official falcosidekick helm charts. I specifically wanted to use option -t to configure TTL for keys stored in redis but official helm charts are not allowing me to do so.
Usage of Falcosidekick-UI:
-a string
Listen Address (default "0.0.0.0", environment "FALCOSIDEKICK_UI_ADDR")
-d Enable dark mode as default
-p int
Listen Port (default 2802, environment "FALCOSIDEKICK_UI_PORT")
-r string
Redis server address (default "localhost:6379", environment "FALCOSIDEKICK_UI_REDIS_URL")
-t int
TTL for keys (default 0, environment "FALCOSIDEKICK_UI_TTL")
-x Allow CORS for development (environment "FALCOSIDEKICK_UI_DEV")
Feature
Below configurable option is nice to have to allow helm charts user to provide extra environment configuration to falcosidekick-ui
webui:
extraEnv: []
OR
webui:
extraArgs: []
OR BOTH
Alternatives
Every user create their own custom chart if they wish to use falcosidekick-ui options
Additional info
If you think this feature request is valid, please approve. I am happy to create a PR to include webui.extraArgs: [] or webui.extraEnv: []
FYI the TTL feature is in master branch but not yet released. When it will be available I'll update the helm for allowing extra args as requested.
In the next weeks, I've a little more time to release the new versions of Falcosidekick and Falcosidekick-UI, I hope to do so before Christmas.
Hi,
I faced issues with the CI for the release of UI before my holidays, I'm back and the releases of sidekick and UI are my top prios. The chart update will follow, the PR is ready.
Hey @Issif, is this ttl value supposed to be in seconds? Chart says value should be an integer. But does not specify the unit.
Unless I am missing something, but this looks like a related missing setting. I am using the ingress setting for the Falco Sidekick UI and it doesn't actually seem to work since I cannot set the FALCOSIDEKICK_UI_ADDR and it is not correctly set to the host name, and as a result, I am getting a 404 on all of the resources needed to load the UI. Is there any kind of workaround that you can think of for now? Or will I have to use a port-forward to access the Falco Sidekick UI?
{
"driver": {
"enabled": true,
"kind": "modern-bpf"
},
"collectors": {
"enabled": true,
"containerd": {
"enabled": true,
"socket": "/run/containerd/containerd.sock"
}
},
"falcoctl": {
"artifact": {
"install": {
"enabled": true
},
"follow": {
"enabled": true
}
},
"config": {
"artifact": {
"install": {
"refs": [
"falco-rules:3"
]
},
"follow": {
"refs": [
"falco-rules:3"
]
}
}
}
},
"tty": true,
"falco": {
"grpc": {
"enabled": true
},
"grpc_output": {
"enabled": true
},
"webserver": {
"enabled": true,
"k8s_healthz_endpoint": "/healthz",
"listen_port": 8765,
"prometheus_metrics_enabled": true,
"ssl_enabled": false,
"threadiness": 0
},
"metrics": {
"convert_memory_to_mb": true,
"enabled": true,
"include_empty_values": false,
"interval": "1h",
"kernel_event_counters_enabled": true,
"libbpf_stats_enabled": true,
"output_rule": true,
"resource_utilization_enabled": true,
"rules_counters_enabled": true,
"state_counters_enabled": true
}
},
"falcosidekick": {
"enabled": true,
"webui": {
"enabled": true,
"user": "REDACTED:REDACTED",
"service": {
"type": "NodePort",
"annotations": {
"cloud.google.com/neg": "{\\"ingress\\": true}",
"cloud.google.com/app-protocols": "{\\"http\\": \\"HTTP\\"}"
}
},
"ingress": {
"enabled": true,
"annotations": {
"kubernetes.io/ingress.class": "gce-internal",
"kubernetes.io/ingress.allow-http": "true",
"networking.gke.io/v1beta1.FrontendConfig": "frontend-config"
},
"hosts": [
{
"host": "falcosidekick-ui.falco.mvp.dev.hirundo.io",
"paths": [
{
"path": "/"
}
]
}
]
}
}
}
}
---
driver:
enabled: true
kind: "modern-bpf"
collectors:
enabled: true
containerd:
enabled: true
socket: "/run/containerd/containerd.sock"
falcoctl:
artifact:
install:
enabled: true
follow:
enabled: true
config:
artifact:
install:
refs:
- "falco-rules:3"
follow:
refs:
- "falco-rules:3"
tty: true
falco:
grpc:
enabled: true
grpc_output:
enabled: true
webserver:
enabled: true
k8s_healthz_endpoint: "/healthz"
listen_port: "8765"
prometheus_metrics_enabled: true
ssl_enabled: "false"
threadiness: "0"
metrics:
convert_memory_to_mb: true
enabled: true
include_empty_values: "false"
interval: "1h"
kernel_event_counters_enabled: true
libbpf_stats_enabled: true
output_rule: true
resource_utilization_enabled: true
rules_counters_enabled: true
state_counters_enabled: true
falcosidekick:
enabled: true
webui:
enabled: true
user: "REDACTED:REDACTED"
service:
type: "NodePort"
annotations:
cloud.google.com/neg: "{\"ingress\": true}"
cloud.google.com/app-protocols: "{\"http\": \"HTTP\"}"
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "gce-internal"
kubernetes.io/ingress.allow-http: true
networking.gke.io/v1beta1.FrontendConfig: "frontend-config"
hosts:
- host: "falcosidekick-ui.falco.mvp.dev.hirundo.io"
paths:
- path: "/"
Here it is
Can you try by also setting the ingressClassname?
falcosidekick:
webui:
ingress:
ingressClassName: "gce-internal"
Any reason why the service is using NodePort and not ClusterIP? Is that a requirement from GKE?
I think that I took the
NodePort option due to this note on this GCP GKE page: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#multiple_backend_services
But I realize now that I actually can use container native load balancing from the looks of it, so I will try changing it to ClusterIP instead. I will also try the ingressClassName option. I need a few minutes to apply this and take a look. I will update here :)
I tried setting ClusterIP and ingressClassName and it didn't help. Here's what I see: