---
driver:
  kind: ebpf
  loader:
    initContainer:
      image:
        repository: falcosecurity/falco-driver-loader-legacy
        #registry: docker.io
        # repository: tosmi/falco-driver-loader
        #tag: 0.36.1

services:
  - name: k8saudit-webhook
    type: ClusterIP
    ports:
      - port: 9765 # See plugin open_params
        protocol: TCP

falco:
  # maybe disable stdout_output in production
  stdout_output:
    enabled: true
  # this is required to forward events to vector
  http_output:
    enabled: true
    url: vector.falco.svc.cluster.local:8080
  json_output: true
  json_include_output_property: true
  log_syslog: false
  log_stderr: true
  log_level: debug
  libs_logger:
    enabled: false
    severity: debug
  # overwrite the default rules list, currently we only want our
  # custom rules to be active
  rules_file:
    - /etc/falco/extra-rules.d
    - /etc/falco/rules.d
  # for kubernetes events we need the k8saudit and json plugins
  load_plugins:
    - k8saudit
    - json
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
      #   maxEventSize: 262144
      #   webhookMaxBatchSize: 12582912
      #   sslCertificate: /etc/falco/falco.pem
      #
      # reading the audit log as file does only work if it is not rotated
      # the falco docs also mention that for a production deployment
      # you should forward logs via webhook
      # open_params: "/host/var/log/kube-apiserver/audit.log"
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""

falcoctl:
  artifact:
    install:
      enabled: false
    follow:
      enabled: false

falcosidekick:
  replicaCount: 1
  enabled: false
  webui:
    replicaCount: 1
    enabled: false
  ingress:
    enabled: false
    host: falcosidekick.local # patch me in cluster overlay

mounts:
  volumes:
    - name: kube-apiserver-audit-mount
      hostPath:
        # path: /var/log/kube-apiserver/audit.log
        path: /var/log/kube-apiserver
    - name: falco-extra-rules-volume
      optional: true
      configMap:
        name: falco-extra-rules
  volumeMounts:
    - mountPath: /host/var/log/kube-apiserver
      name: kube-apiserver-audit-mount
    - mountPath: /etc/falco/extra-rules.d
      name: falco-extra-rules-volume

# Custom rules a now deploy via an extra configmap
#
# customRules:
#   rules-tty-commands.yaml: |-
#     - rule: Log commands in an interactive shell
#       desc: >-
#         Log all commands executed in a container that has a tty
#         attached. Taken from
#         https://github.com/falcosecurity/falco/issues/2338#issuecomment-1631308628.
#       condition: >-
#         spawned_process
#         and container
#         and proc.tty != 0
#         and proc.is_vpgid_leader=true
#       output: Executed command in container (proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2] proc_exe_ino_ctime=%proc.exe_ino.ctime proc_exe_ino_mtime=%proc.exe_ino.mtime proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
#       priority: CRITICAL
#       tags: [custom_rule, container, process, tty]