k8saudit: enabled: false fullnameOverride: falco-k8saudit # -- Disable the drivers since we want to deploy only the k8saudit plugin. driver: enabled: false # -- Disable the collectors, no syscall events to enrich with metadata. collectors: enabled: false # falcoctl disabled so we can reduce resources quite a bit resources: requests: cpu: 100m memory: 64Mi limits: cpu: 1 memory: 512Mi nodeSelector: node-role.kubernetes.io/control-plane: "" # -- Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale. controller: kind: deployment deployment: # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. # For more info check the section on Plugins in the README.md file. replicas: 1 # This provides k8s-audit rules via custom CM mounts: volumeMounts: - mountPath: /etc/falco/rules.d name: rules-volume volumes: - name: rules-volume configMap: name: falco-k8saudit-rules falcoctl: artifact: follow: enabled: false # Since 0.37 the plugins are not part of the image anymore # but we provide our rules static via our CM config: artifact: allowedTypes: - plugin install: refs: [k8saudit:0.7.0,json:0.7.2] services: - name: webhook ports: - port: 9765 # See plugin open_params protocol: TCP falco: rules_file: - /etc/falco/rules.d plugins: - name: k8saudit library_path: libk8saudit.so init_config: maxEventSize: 1048576 open_params: "http://:9765/k8s-audit" - name: json library_path: libjson.so init_config: "" # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container. load_plugins: [k8saudit, json] json_output: true buffered_outputs: true log_syslog: false syslog_output: enabled: false