openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
d64bb8bcce
openova/clusters/_template/bootstrap-kit/31-falco.yaml
e3mrah b88e98026f
fix(bp-falco): rename rules_file → rules_files (Falco 0.36+ canonical key, Closes #570) (#574) 
Falco 0.36+ uses `rules_files` (plural) as the canonical multi-file rules
key. Setting the deprecated `rules_file` (singular) alongside the upstream
subchart's `rules_files` default causes Falco to detect a config conflict
and abort startup with CrashLoopBackOff on otech22.

Bump bp-falco 1.0.0 → 1.0.1. Bootstrap-kit slot 31 updated.

Co-authored-by: alierenbaysal <alierenbaysal@openova.io>
2026-05-02 12:59:29 +04:00

70 lines
2.0 KiB
YAML
Raw Blame History

# bp-falco — Catalyst bootstrap-kit Blueprint #31 (W2.K3, Tier 7 — Security/Policy).
# Runtime threat detection (CNCF Graduated). eBPF kernel-level syscall
# monitoring for container escapes, privilege escalation, anomalous
# behavior. Runs as a DaemonSet on every host of the Sovereign;
# Falcosidekick fans events into the SIEM pipeline (Loki/JetStream).
#
# Wrapper chart: platform/falco/chart/ (umbrella over upstream
# falcosecurity/falco chart, Catalyst-curated values under the `falco:`
# key — modern_ebpf driver, falcosidekick enabled).
# Reconciled by: Flux on the new Sovereign's k3s control plane.
#
# dependsOn:
# - bp-cilium — Falco's modern_ebpf probe loads alongside Cilium's
# eBPF programs on the same kernel hook points. Bringing Falco up
# before the CNI is finalised has produced flaky probe-load races
# in field testing; sequencing after bp-cilium Ready avoids that.
---
apiVersion: v1
kind: Namespace
metadata:
name: falco
labels:
catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bp-falco
namespace: flux-system
spec:
type: oci
interval: 15m
url: oci://ghcr.io/openova-io
secretRef:
name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: bp-falco
namespace: flux-system
spec:
interval: 15m
releaseName: falco
targetNamespace: falco
dependsOn:
- name: bp-cilium
chart:
spec:
chart: bp-falco
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bp-falco
namespace: flux-system
# Event-driven install: Falco's DaemonSet rolls out per-node and the
# eBPF probe load is sensitive to kernel headers / module presence.
# Per-node Ready is properly observed via DaemonSet status, not via
# Helm `--wait`. disableWait keeps Flux's signal aligned with
# manifest apply.
install:
disableWait: true
remediation:
retries: 3
upgrade:
disableWait: true
remediation:
retries: 3
Reference in New Issue View Git Blame Copy Permalink