Make engine v5 backward compatible w/ v4 rules

As a part of the changes in https://github.com/falcosecurity/falco/pull/826/, we added several breaking changes to rules files like renaming/removing some filter fields. This isn't ideal for customers who are using their own rules files. We shouldn't break older rules files in this way, so add some minimal backwards compatibility which adds back the fields that were removed *and* actually used in k8s_audit_rules.yaml. They have the same functionality as before. One exception is ka.req.binding.subject.has_name, which was only used in a single output field for debugging and shouldn't have been in the rules file in the first place. This always returns the string "N/A". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-09-02 23:26:24 +00:00 · 2019-10-17 11:43:18 -07:00
parent b4fdaa3544
commit ccb3cc13b4
3 changed files with 127 additions and 2 deletions
--- a/userspace/engine/falco_engine_version.h
+++ b/userspace/engine/falco_engine_version.h
@@ -21,4 +21,4 @@ limitations under the License.
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "163684ddd69fd0d2ec8a3d246e6901c84e995ae1ba29d105853b1fb12c3e1bbb"
+#define FALCO_FIELDS_CHECKSUM "ca9e75fa41fe4480cdfad8cf275cdbbc334e656569f070c066d87cbd2955c1ae"