Skip to content

Commit

Permalink
Fix information about falco on GKE
Browse files Browse the repository at this point in the history
  • Loading branch information
kasia-kujawa committed Jan 25, 2021
1 parent 2ba0fbb commit 23eb908
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 4 deletions.
7 changes: 4 additions & 3 deletions deploy/docs/Troubleshoot_Collection.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@
- [Error: could not find tiller](#error-could-not-find-tiller)
- [Errors in helm installation](#errors-in-helm-installation)
- [Rancher](#rancher)
- [Falco](#falco)
- [Falco and Google Kubernetes Engine (GKE)](#falco-and-google-kubernetes-engine-gke)
- [Falco and OpenShift](#falco-and-openshift)

<!-- /TOC -->

Expand Down Expand Up @@ -366,7 +367,7 @@ If you have the Rancher prometheus operator setup running, they will have to use
### Falco and Google Kubernetes Engine (GKE)
`Google Kubernetes Engine (GKE)` uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS. Because of this security constraint, Falco cannot insert its kernel module to process events for system calls. However, COS provides the ability to use extended Berkeley Packet Filter (eBPF) to supply the stream of system calls to the Falco engine. eBPF is currently only supported on GKE and COS. For more information see [Installing Falco](https://falco.org/docs/installation/).
`Google Kubernetes Engine (GKE)` uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS. Because of this security constraint, Falco cannot insert its kernel module to process events for system calls. However, COS provides the ability to use extended Berkeley Packet Filter (eBPF) to supply the stream of system calls to the Falco engine. eBPF is currently only supported on GKE and COS. For more information see [Falco documentation](https://falco.org/docs/getting-started/third-party/#gke).
To install on `GKE`, use the provided override file to customize your configuration and uncomment the following lines in the `values.yaml` file referenced below:
Expand All @@ -375,7 +376,7 @@ To install on `GKE`, use the provided override file to customize your configurat
# enabled: true
```
### Falco
### Falco and OpenShift
Falco does not provide modules for all kernels.
When Falco module is not available for particular kernel, Falco tries to build it.
Expand Down
2 changes: 1 addition & 1 deletion deploy/helm/sumologic/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ Parameter | Description | Default
`falco.enabled` | Flag to control deploying Falco Helm sub-chart. | `false`
`falco.addKernelDevel` | Flag to control installation of `kernel-devel` on nodes using MachineConfig, required to build falco modules (only for OpenShift with Machine Config operator) | `false`
`falco.extraInitContainers` | InitContainers for Falco pod | `[]`
`falco.ebpf.enabled` | Enable eBPF support for Falco instead of falco-probe kernel module. Set to false for GKE. | `true`
`falco.ebpf.enabled` | Enable eBPF support for Falco instead of falco-probe kernel module. Set to true for GKE. | `false`
`falco.falco.jsonOutput` | Output events in json. | `true`
`telegraf-operator.enabled` | Flag to control deploying Telegraf Operator Helm sub-chart. | `false`
`telegraf-operator.replicaCount` | Replica count for Telegraf Operator pods. | 1
Expand Down
3 changes: 3 additions & 0 deletions deploy/helm/sumologic/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1587,6 +1587,9 @@ falco:
# - mountPath: /host/etc
# name: etc-fs
# readOnly: true
# Enable eBPF support for Falco instead of falco-probe kernel module.
# Set to true for GKE, for details see:
# https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/release-v1.3/deploy/docs/Troubleshoot_Collection.md#falco-and-google-kubernetes-engine-gke
#ebpf:
# enabled: true
falco:
Expand Down

0 comments on commit 23eb908

Please sign in to comment.