fix(falco/config): use rules_files instead of deprecated key rules_file

Signed-off-by: Aldo Lacuku <[email protected]>
falcosecurity · Aug 1, 2024 · d17eebf · d17eebf
1 parent 4fba8a3
commit d17eebf
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md
@@ -3,6 +3,10 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.7.1
+
+* fix(falco/config): use rules_files instead of deprecated key rules_file
+
 ## v4.7.0
 
 * bump k8smeta plugin to version 0.2.0. The new version, resolves a bug that prevented the plugin

diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: falco
-version: 4.7.0
+version: 4.7.1
 appVersion: "0.38.1"
 description: Falco
 keywords:

diff --git a/charts/falco/README.md b/charts/falco/README.md
@@ -581,7 +581,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek
 
 ## Configuration
 
-The following table lists the main configurable parameters of the falco chart v4.7.0 and their default values. See [values.yaml](./values.yaml) for full list.
+The following table lists the main configurable parameters of the falco chart v4.7.1 and their default values. See [values.yaml](./values.yaml) for full list.
 
 ## Values
 
@@ -681,7 +681,7 @@ The following table lists the main configurable parameters of the falco chart v4
 | falco.priority | string | `"debug"` | Any rule with a priority level more severe than or equal to the specified minimum level will be loaded and run by Falco. This allows you to filter and control the rules based on their severity, ensuring that only rules of a certain priority or higher are active and evaluated by Falco. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug" |
 | falco.program_output | object | `{"enabled":false,"keep_alive":false,"program":"jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"}` | Redirect the output to another program or command.  Possible additional things you might want to do with program output:   - send to a slack webhook:         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"   - logging (alternate method than syslog):         program: logger -t falco-test   - send over a network connection:         program: nc host.example.com 80 If `keep_alive` is set to `true`, the program will be started once and continuously written to, with each output message on its own line. If `keep_alive` is set to `false`, the program will be re-spawned for each output message. Furthermore, the program will be re-spawned if Falco receives the SIGUSR1 signal. |
 | falco.rule_matching | string | `"first"` | - [Examples]  Only enable two rules:  rules:   - disable:       rule: "*"   - enable:       rule: Netcat Remote Code Execution in Container   - enable:       rule: Delete or rename shell history  Disable all rules with a specific tag:  rules:   - disable:       tag: network  [Incubating] `rule_matching`  - Falco has to be performant when evaluating rules against events. To quickly understand which rules could trigger on a specific event, Falco maintains buckets of rules sharing the same event type in a map. Then, the lookup in each bucket is performed through linear search. The `rule_matching` configuration key's values are:  - "first": when evaluating conditions of rules in a bucket, Falco will stop    to evaluate rules if it finds a matching rules. Since rules are stored    in buckets in the order they are defined in the rules files, this option    could prevent other rules to trigger even if their condition is met, causing    a shadowing problem.  - "all": with this value Falco will continue evaluating all the rules    stored in the bucket, so that multiple rules could be triggered upon one    event. |
-| falco.rules_file | list | `["/etc/falco/falco_rules.yaml","/etc/falco/falco_rules.local.yaml","/etc/falco/rules.d"]` | The location of the rules files that will be consumed by Falco. |
+| falco.rules_files | list | `["/etc/falco/falco_rules.yaml","/etc/falco/falco_rules.local.yaml","/etc/falco/rules.d"]` | The location of the rules files that will be consumed by Falco. |
 | falco.stdout_output | object | `{"enabled":true}` | Redirect logs to standard output. |
 | falco.syscall_event_drops | object | `{"actions":["log","alert"],"max_burst":1,"rate":0.03333,"simulate_drops":false,"threshold":0.1}` | For debugging/testing it is possible to simulate the drops using the `simulate_drops: true`. In this case the threshold does not apply. |
 | falco.syscall_event_drops.actions | list | `["log","alert"]` | Actions to be taken when system calls were dropped from the circular buffer. |

diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml
@@ -621,7 +621,7 @@ falco:
   # desired customizations and rule behaviors are prioritized and applied as
   # intended.
   # -- The location of the rules files that will be consumed by Falco.
-  rules_file:
+  rules_files:
     - /etc/falco/falco_rules.yaml
     - /etc/falco/falco_rules.local.yaml
     - /etc/falco/rules.d