github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-17 07:18:26 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(falco.yaml): remove config docs and options about k8s metadata

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce
2023-11-15 15:43:20 +00:00
committed by poiana
parent 04e2f19915
commit 1e3f17150d
1 changed files with 4 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
falco.yaml
View File

@@ -67,9 +67,6 @@
# syscall_drop_failed_exit # syscall_drop_failed_exit
# base_syscalls # base_syscalls
# modern_bpf.cpus_for_each_syscall_buffer # modern_bpf.cpus_for_each_syscall_buffer
# Falco cloud orchestration systems integration
# metadata_download
# (Guidance for Kubernetes container engine command-line args settings)
################################ ################################
@@ -170,11 +167,10 @@ rules_file:
# #
# Please note that if your intention is to enrich Falco syscall logs with fields # Please note that if your intention is to enrich Falco syscall logs with fields
# such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
# the `k8saudit` plugin nor the `-k`/`-K` Kubernetes metadata enrichment. This # the `k8saudit` plugin. This information is automatically extracted from
# information is automatically extracted from the container runtime socket. The # the container runtime socket. The `k8saudit` plugin is specifically designed
# `k8saudit` plugin is specifically designed to integrate with Kubernetes audit # to integrate with Kubernetes audit logs and is not required for basic enrichment
# logs and is not required for basic enrichment of syscall logs with # of syscall logs with Kubernetes-related fields.
# Kubernetes-related fields.
# #
# --- [Usage] # --- [Usage]
# #
@@ -1035,35 +1031,6 @@ base_syscalls:
modern_bpf: modern_bpf:
cpus_for_each_syscall_buffer: 2 cpus_for_each_syscall_buffer: 2
#################################################
# Falco cloud orchestration systems integration #
#################################################
# [Stable] `metadata_download`
#
# When connected to an orchestrator like Kubernetes, Falco has the capability to
# collect metadata and enrich system call events with contextual data. The
# parameters mentioned here control the downloading process of this metadata.
#
# Please note that support for Mesos is deprecated, so these parameters
# currently apply only to Kubernetes. When using Falco with Kubernetes, you can
# enable this functionality by using the `-k` or `-K` command-line flag.
#
# However, it's worth mentioning that for important Kubernetes metadata fields
# such as namespace or pod name, these fields are automatically extracted from
# the container runtime, providing the necessary enrichment for common use cases
# of syscall-based threat detection.
#
# In summary, the `-k` flag is typically not required for most scenarios involving
# Kubernetes workload owner enrichment. The `-k` flag is primarily used when
# additional metadata is required beyond the standard fields, catering to more
# specific use cases, see https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s.
metadata_download:
max_mb: 100
chunk_wait_us: 1000
watch_freq_sec: 1
# [Stable] Guidance for Kubernetes container engine command-line args settings # [Stable] Guidance for Kubernetes container engine command-line args settings
# #
# Modern cloud environments, particularly Kubernetes, heavily rely on # Modern cloud environments, particularly Kubernetes, heavily rely on