update(falco): mount proc filesystem for plugins

The following PR in the libs falcosecurity/libs#1969 introduces a new platform for plugins that requires access to the proc filesystem. Signed-off-by: Aldo Lacuku <[email protected]>
falcosecurity · Oct 1, 2024 · 47541d4 · 47541d4
1 parent ed8c535
commit 47541d4
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 7 deletions.
diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md
@@ -12,6 +12,11 @@ numbering uses [semantic versioning](http://semver.org).
 * cleanup(falco): remove deprecated falco configuration
  This commit removes the "output" config key that has
  been deprecated in falco.
+* update(falco): mount proc filesystem for plugins
+ The following PR in libs https:/falcosecurity/libs/pull/1969
+ introduces a new platform for plugins that requires access to the
+ proc filesystem.
+
 
 ## v4.8.3
 

diff --git a/charts/falco/README.md b/charts/falco/README.md
@@ -759,7 +759,6 @@ The following table lists the main configurable parameters of the falco chart v4
 | metrics.service.ports.metrics.protocol | string | `"TCP"` | protocol specifies the network protocol that the Service should use for the associated port. |
 | metrics.service.ports.metrics.targetPort | int | `8765` | targetPort is the port on which the Pod is listening. |
 | metrics.service.type | string | `"ClusterIP"` | type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible from within the cluster. |
-| mounts.enforceProcMount | bool | `false` | By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). |
 | mounts.volumeMounts | list | `[]` | A list of volumes you want to add to the Falco pods. |
 | mounts.volumes | list | `[]` | A list of volumes you want to add to the Falco pods. |
 | nameOverride | string | `""` | Put here the new name if you want to override the release name used for Falco components. |

diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl
@@ -135,10 +135,8 @@ spec:
  {{- end }}
  - mountPath: /root/.falco
  name: root-falco-fs
- {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
  - mountPath: /host/proc
  name: proc-fs
- {{- end }}
  {{- if and .Values.driver.enabled (not .Values.driver.loader.enabled) }}
  readOnly: true
  - mountPath: /host/boot
@@ -289,11 +287,9 @@ spec:
  {{- end }}
  {{- end }}
  {{- end }}
- {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
  - name: proc-fs
  hostPath:
  path: /proc
- {{- end }}
  {{- if eq .Values.driver.kind "gvisor" }}
  - name: runsc-path
  hostPath:

diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml
@@ -267,8 +267,6 @@ mounts:
  volumes: []
  # -- A list of volumes you want to add to the Falco pods.
  volumeMounts: []
- # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins).
- enforceProcMount: false
 
 # Driver settings (scenario requirement)
 driver: