Add falco to Kubernetes modules (#108)

.github/workflows/check.yaml

@@ -9,11 +9,11 @@ jobs:
       - name: Setup TFLint
         uses: lablabs/[email protected]
         with:
-          tflint_version: v0.20.3
+          tflint_version: v0.23.1
       - name: Install azurerm plugin
         run: |
           mkdir -p .tflint.d/plugins
-          wget https://github.com/terraform-linters/tflint-ruleset-azurerm/releases/download/v0.5.1/tflint-ruleset-azurerm_linux_amd64.zip
+          wget https://github.com/terraform-linters/tflint-ruleset-azurerm/releases/download/v0.7.0/tflint-ruleset-azurerm_linux_amd64.zip
           unzip tflint-ruleset-azurerm_linux_amd64.zip
           mv tflint-ruleset-azurerm .tflint.d/plugins/
       - name: Run lint

modules/kubernetes/README.md

@@ -20,3 +20,4 @@ This directory contains all the Kubernetes Terraform modules.
 - [`datadog`](datadog/README.md)
 - [`external-secrtest`](external-secrets/README.md)
 - [`kyverno`](kyverno/README.md)
+- [`falco`](falco/README.md)

modules/kubernetes/aks-core/README.md

@@ -32,9 +32,12 @@ This module is used to create AKS clusters.
 | cert\_manager\_config | Cert Manager configuration | <pre>object({<br>    notification_email = string<br>    dns_zone           = string<br>  })</pre> | n/a | yes |
 | cert\_manager\_enabled | Should Cert Manager be enabled | `bool` | `true` | no |
 | csi\_secrets\_store\_provider\_azure\_enabled | Should csi-secrets-store-provider-azure be enabled | `bool` | `true` | no |
+| datadog\_config | Datadog configuration | <pre>object({<br>    datadog_site = string<br>    api_key      = string<br>  })</pre> | n/a | yes |
+| datadog\_enabled | Should Datadog be enabled | `bool` | `false` | no |
 | environment | The environment name to use for the deploy | `string` | n/a | yes |
 | external\_dns\_config | External DNS configuration | <pre>object({<br>    client_id   = string<br>    resource_id = string<br>  })</pre> | n/a | yes |
 | external\_dns\_enabled | Should External DNS be enabled | `bool` | `true` | no |
+| falco\_enabled | Should Falco be enabled | `bool` | `false` | no |
 | fluxcd\_v1\_config | Configuration for fluxcd-v1 | <pre>object({<br>    flux_status_enabled = bool<br>    azure_devops = object({<br>      pat  = string<br>      org  = string<br>      proj = string<br>    })<br>  })</pre> | <pre>{<br>  "azure_devops": {<br>    "org": "",<br>    "pat": "",<br>    "proj": ""<br>  },<br>  "flux_status_enabled": false<br>}</pre> | no |
 | fluxcd\_v1\_enabled | Should fluxcd-v1 be enabled | `bool` | `false` | no |
 | fluxcd\_v2\_config | Configuration for fluxcd-v2 | <pre>object({<br>    type = string<br>    github = object({<br>      owner = string<br>    })<br>    azure_devops = object({<br>      pat  = string<br>      org  = string<br>      proj = string<br>    })<br>  })</pre> | n/a | yes |

modules/kubernetes/aks-core/modules.tf

@@ -1,5 +1,5 @@
 locals {
-  excluded_namespaces = ["kube-system", "gatekeeper-system", "aad-pod-identity", "cert-manager", "ingress-nginx", "velero", "azdo-proxy", "flux-system", "external-dns", "kyverno", "csi-secrets-store-provider-azure"]
+  excluded_namespaces = ["kube-system", "gatekeeper-system", "aad-pod-identity", "cert-manager", "ingress-nginx", "velero", "azdo-proxy", "flux-system", "external-dns", "kyverno", "csi-secrets-store-provider-azure", "falco"]
 }
 
 # OPA Gatekeeper
@@ -221,3 +221,38 @@ module "csi_secrets_store_provider_azure" {
 
   source = "../../kubernetes/csi-secrets-store-provider-azure"
 }
+
+# datadog
+module "datadog" {
+  depends_on = [module.opa_gatekeeper]
+
+  for_each = {
+    for s in ["datadog"] :
+    s => s
+    if var.datadog_enabled
+  }
+
+  source = "../../kubernetes/datadog"
+
+  location     = var.location_short
+  environment  = var.environment
+  datadog_site = var.datadog_config.datadog_site
+  api_key      = var.datadog_config.api_key
+}
+
+# falco
+module "falco" {
+  depends_on = [module.opa_gatekeeper]
+
+  for_each = {
+    for s in ["falco"] :
+    s => s
+    if var.falco_enabled
+  }
+
+  source = "../../kubernetes/falco"
+
+  environment     = var.environment
+  datadog_site    = var.datadog_config.datadog_site
+  datadog_api_key = var.datadog_config.api_key
+}

modules/kubernetes/aks-core/variables.tf

@@ -190,3 +190,23 @@ variable "csi_secrets_store_provider_azure_enabled" {
   type        = bool
   default     = true
 }
+
+variable "datadog_enabled" {
+  description = "Should Datadog be enabled"
+  type        = bool
+  default     = false
+}
+
+variable "datadog_config" {
+  description = "Datadog configuration"
+  type = object({
+    datadog_site = string
+    api_key      = string
+  })
+}
+
+variable "falco_enabled" {
+  description = "Should Falco be enabled"
+  type        = bool
+  default     = false
+}

modules/kubernetes/falco/README.md

@@ -0,0 +1,34 @@
+# Falco
+
+Adds [`Falco`](https://github.com/falcosecurity/falco) to a Kubernetes clusters.  
+The modules consists of two components, the main Falco driver and the sidekick which  
+exports events to Datadog.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | 0.13.5 |
+| helm | 1.3.2 |
+| kubernetes | 1.13.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| helm | 1.3.2 |
+| kubernetes | 1.13.3 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| datadog\_api\_key | Datadog api key used to authenticate | `string` | n/a | yes |
+| datadog\_site | Datadog host to send events to | `string` | `"api.datadoghq.eu"` | no |
+| environment | Variable to add to custom fields | `string` | n/a | yes |
+| minimum\_priority | Minimum priority required before being exported | `string` | `"INFO"` | no |
+
+## Outputs
+
+No output.
+

modules/kubernetes/falco/main.tf

@@ -0,0 +1,59 @@
+/**
+  * # Falco
+  *
+  * Adds [`Falco`](https://github.com/falcosecurity/falco) to a Kubernetes clusters.
+  * The modules consists of two components, the main Falco driver and the sidekick which
+  * exports events to Datadog.
+  */
+
+terraform {
+  required_version = "0.13.5"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "1.13.3"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "1.3.2"
+    }
+  }
+}
+
+locals {
+  falco_values = templatefile("${path.module}/templates/falco-values.yaml.tpl", {})
+  falcosidekick_values = templatefile("${path.module}/templates/falcosidekick-values.yaml.tpl", {
+    environment      = var.environment
+    minimum_priority = var.minimum_priority
+    datadog_host     = "https://${var.datadog_site}"
+    datadog_api_key  = var.datadog_api_key
+  })
+}
+
+resource "kubernetes_namespace" "this" {
+  metadata {
+    labels = {
+      name = "falco"
+    }
+    name = "falco"
+  }
+}
+
+resource "helm_release" "falco" {
+  repository = "https://falcosecurity.github.io/charts"
+  chart      = "falco"
+  name       = "falco"
+  namespace  = kubernetes_namespace.this.metadata[0].name
+  version    = "v1.7.2"
+  values     = [local.falco_values]
+}
+
+resource "helm_release" "falcosidekick" {
+  repository = "https://falcosecurity.github.io/charts"
+  chart      = "falcosidekick"
+  name       = "falcosidekick"
+  namespace  = kubernetes_namespace.this.metadata[0].name
+  version    = "v0.2.2"
+  values     = [local.falcosidekick_values]
+}

modules/kubernetes/falco/templates/falco-values.yaml.tpl

@@ -0,0 +1,21 @@
+auditLog:
+  enabled: false
+
+# Use EBPF instead of kernel module
+ebpf:
+  enabled: true
+
+falco:
+  jsonOutput: true
+  jsonIncludeOutputProperty: true
+  httpOutput:
+    enabled: true
+    url: "http://falcosidekick:2801"
+
+  # This should be further explored in the future but seems
+  # to be a bug right now with no fix so the solution is sadly
+  # to ignore all syscall errors.
+  # https://github.com/falcosecurity/falco/issues/1403
+  syscallEventDrops:
+    actions:
+      - log

modules/kubernetes/falco/templates/falcosidekick-values.yaml.tpl

@@ -0,0 +1,6 @@
+config:
+  customfields: "source:falco,env:${environment}"
+  datadog:
+    host: "${datadog_host}"
+    apikey: "${datadog_api_key}"
+    minimumpriority: "${minimum_priority}"

modules/kubernetes/falco/variables.tf

@@ -0,0 +1,21 @@
+variable "environment" {
+  description = "Variable to add to custom fields"
+  type        = string
+}
+
+variable "minimum_priority" {
+  description = "Minimum priority required before being exported"
+  type        = string
+  default     = "INFO"
+}
+
+variable "datadog_site" {
+  description = "Datadog host to send events to"
+  type        = string
+  default     = "api.datadoghq.eu"
+}
+
+variable "datadog_api_key" {
+  description = "Datadog api key used to authenticate"
+  type        = string
+}

validation/kubernetes/aks-core/main.tf

@@ -69,4 +69,8 @@ module "aks_core" {
       name = "name"
     }
   }
+  datadog_config = {
+    datadog_site = ""
+    api_key = ""
+  }
 }

validation/kubernetes/falco/main.tf

@@ -0,0 +1,34 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "1.13.3"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "1.3.2"
+    }
+  }
+}
+
+provider "kubernetes" {
+  load_config_file = "false"
+}
+
+provider "helm" {
+  kubernetes {
+    load_config_file = "false"
+  }
+}
+
+module "falco" {
+  source = "../../../modules/kubernetes/falco"
+
+  providers = {
+    kubernetes = kubernetes
+    helm = helm
+  }
+
+  environment = "dev"
+  datadog_api_key = "foobar" #tfsec:ignore:GEN003
+}