Merge pull request #1805 from cncf/bug/1768

[bug/1768] Allow overriding Falco Helm chart install values for non_root_user test
cnti-testcatalog · Jul 28, 2023 · ecc5770 · ecc5770
2 parents 5860c9e + 32c2683
commit ecc5770
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 4 deletions.
diff --git a/USAGE.md b/USAGE.md
@@ -939,6 +939,7 @@ If your application does not need root privileges, make sure to define the runAs
 
 </b>
 
+> To configure the Falco driver to be used for this test, please refer to [docs/falco-config.md](docs/falco-config.md).
 
 ## [Host PID/IPC privileges](docs/LIST_OF_TESTS.md#host-pidipc-privileges)
 

diff --git a/docs/falco-config.md b/docs/falco-config.md
@@ -0,0 +1,47 @@
+# Setting up Falco for `non_root_user` test
+
+The CNF Testsuite sets up Falco for the `non_root_user` test. But Falco requires drivers that are built for the specific OS kernel version.
+
+To run the `non_root_user` test, please choose a prebuilt driver or a custom driver, and then proceed to configure the CNF Testsuite to specify the appropriate Falco configuration.
+
+## Prebuilt Falco drivers
+
+* Falco provides prebuilt drivers only for the 3 recent driver versions ([reference](https://github.com/falcosecurity/falco/issues/2488#issuecomment-1507479462))
+* Availability of prebuilt drivers can be checked [here](https://download.falco.org/driver/site/index.html?lib=4.0.0%2Bdriver&target=debian&arch=x86_64&kind=ebpf).
+
+## Building a custom driver
+
+Falco maintains the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) project to help build custom drivers. Please refer to the project's documentation to build custom Falco drivers for your Linux kernel version.
+
+## Specifying a Falco driver to be used with the CNF Testsuite
+
+The CNF Testsuite installs Falco 3.1.5. The testsuite allows specifying Helm CLI options for Falco's Helm chart installation using the `FALCO_HELM_OPTS` env var.
+
+This option can be used to pass a YAML file that overrides Falco's Helm chart values, like below.
+
+```shell
+FALCO_HELM_OPTS="-f falco-values.yml" ./cnf-testsuite non_root_user
+```
+
+> This `FALCO_HELM_OPTS` needs to be set when running the `non_root_user` test via the workload command too.
+
+Below is an example YAML file that overrides Falco Helm values to specify a custom-built ebpf driver.
+
+```yaml
+driver:
+  enabled: true
+  kind: ebpf
+  ebpf:
+    path: "/falco-driver/falco-ubuntu.o"
+mounts:
+  volumes:
+    - name: "driver-fs"
+      hostPath:
+        path: "/falco-driver"
+
+  volumeMounts:
+    - mountPath: "/falco-driver"
+      name: driver-fs
+```
+
+Please refer to the [Falco Helm chart's values file](https://github.com/falcosecurity/charts/blob/falco-3.1.5/falco/values.yaml) to see options that can be specified.
diff --git a/src/tasks/falco_setup.cr b/src/tasks/falco_setup.cr
@@ -10,20 +10,32 @@ desc "Install Falco"
 task "install_falco" do |_, args|
   # helm = Helm::BinarySingleton.helm
   File.write("falco_rule.yaml", FALCO_RULES)
+  chart_version = "--version 3.1.5"
+  helm_options = ENV["FALCO_HELM_OPTS"]?
+  if helm_options.nil?
+    helm_options = "--set driver.kind=ebpf"
+  end
+
+  # Use different helm chart version for CI
   if ENV["FALCO_ENV"]? == "CI"
-    image_arg = "--set image.repository=conformance/falco"
-    image_tag = "--set image.tag=0.29.1"
     chart_version = "--version 1.15.7"
+
+    # 1. Because the CI uses an old version the helm key values are different too.
+    # 2. CI does not need support for FALCO_HELM_OPTS env var.
+    helm_options = "--set ebpf.enabled=true"
+    helm_options = "#{helm_options} --set image.repository=conformance/falco"
+    helm_options = "#{helm_options} --set image.tag=0.29.1"
   end
+
   begin
     if args.named["offline"]?
       Log.info { "install falco offline mode" }
       helm_chart = Dir.entries(FALCO_OFFLINE_DIR).first
-      Helm.install("falco --set ebpf.enabled=true #{chart_version} #{image_arg} #{image_tag} -f ./falco_rule.yaml -n #{TESTSUITE_NAMESPACE} #{FALCO_OFFLINE_DIR}/#{helm_chart}")
+      Helm.install("falco #{chart_version} -f ./falco_rule.yaml #{helm_options} -n #{TESTSUITE_NAMESPACE} #{FALCO_OFFLINE_DIR}/#{helm_chart}")
     else
       Helm.helm_repo_add("falcosecurity","https://falcosecurity.github.io/charts")
       # needs ebpf parameter for precompiled module
-      Helm.install("falco --set ebpf.enabled=true #{chart_version} #{image_arg} #{image_tag} -f ./falco_rule.yaml -n #{TESTSUITE_NAMESPACE} falcosecurity/falco")
+      Helm.install("falco #{chart_version} -f ./falco_rule.yaml #{helm_options} -n #{TESTSUITE_NAMESPACE} falcosecurity/falco")
     end
   rescue Helm::CannotReuseReleaseNameError
     Log.info { "Falco already installed" }