Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Frequently restarts in AKS 1.30.5 #3414

Open
ql3xHd630 opened this issue Nov 26, 2024 · 9 comments
Open

Frequently restarts in AKS 1.30.5 #3414

ql3xHd630 opened this issue Nov 26, 2024 · 9 comments
Labels
kind/bug
Milestone
0.40.0

Comments

@ql3xHd630
Copy link

Falco with version "0.34.1" deployed in AKS 1.30.5. will Frequently restarts. the error message is:
image

image
@Andreagit97
Copy link
Member

Andreagit97 commented Nov 26, 2024
edited
Loading

Hi! Yes this is a known issue with Falco 0.34.1 and k8s enrichment. Please use a recent version of Falco https://github.com/falcosecurity/falco/releases/tag/0.39.2, the issue should be solved

@Andreagit97 Andreagit97 added this to the 0.40.0 milestone Nov 26, 2024
@ql3xHd630
Copy link
Author

thankyou.

@ql3xHd630
Copy link
Author

ql3xHd630 commented Nov 27, 2024
edited
Loading

Hi @Andreagit97 .

When I try to upgrade falco to 0.39.2. The problem of restart have been resolved.

But I got trouble when I use the "http_output". Below are my config of "http_output" part in helm values.yaml.

http_output: enabled: true url: http://fluent-bit:8888 user_agent: "falcosecurity/falco" # -- Tell Falco to not verify the remote server. insecure: false # -- Path to the CA certificate that can verify the remote server. ca_cert: "" # -- Path to a specific file that will be used as the CA certificate store. ca_bundle: "" # -- Path to a folder that will be used as the CA certificate store. CA certificate need to be # stored as indivitual PEM files in this directory. ca_path: "/etc/falco/certs/" # -- Tell Falco to use mTLS mtls: false # -- Path to the client cert. client_cert: "/etc/falco/certs/client/client.crt" # -- Path to the client key. client_key: "/etc/falco/certs/client/client.key" # -- Whether to echo server answers to stdout echo: false # -- compress_uploads whether to compress data sent to http endpoint. compress_uploads: false # -- keep_alive whether to keep alive the connection. keep_alive: false

image

I got this problem:

image
Could you please give me some suggestion?Thankyou.

@Andreagit97
Copy link
Member

probably @leogr is more familiar with this, any idea of what is going on here?

@Issif
Copy link
Member

Issif commented Nov 27, 2024
edited
Loading

Can you try by using the whole DNS entry: http://fluent-bit.<namespace>.svc.cluster.local:8888.

Moreover, I don't see the point to use the http endpoint of fluent-bit and not its capacity to read the logs directly. Just enable the json format + output_fields for the logs

@ql3xHd630
Copy link
Author

@Issif. Thank you. When I enable json output. It work well.

@ql3xHd630
Copy link
Author

Hello, Guys. I got another problem.

I want to disable some rule by helm chart values file.
When I write disable statement follow falco docuemnt
image

image

I got this Error.
image

Could you please help me? Thanks!!

@ql3xHd630
Copy link
Author

How can I disable many rule by set value os customRule

@leogr
Copy link
Member

leogr commented Dec 10, 2024

How can I disable many rule by set value os customRule

You have to set the Falco config using proper helm values via values.yaml or using --set (in the latter case, be aware of --set syntax and limitation) , for example:
--set falco.rules[0].disable.rule="Redirect STDOUT/STDIN to Network Connection in Container"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
0.40.0
Development

No branches or pull requests
4 participants
@leogr @Issif @Andreagit97 @ql3xHd630