diff --git a/falcosidekick/CHANGELOG.md b/falcosidekick/CHANGELOG.md index ac7b68f55..97f99e6eb 100644 --- a/falcosidekick/CHANGELOG.md +++ b/falcosidekick/CHANGELOG.md @@ -3,7 +3,14 @@ This file documents all notable changes to Falcosidekick Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). +Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). + +## 0.1.28 + +### Major changes + +* New output can be set : `AWS SNS` +* Metrics in `prometheus` format can be scrapped from `/metrics` URI ## 0.1.27 diff --git a/falcosidekick/Chart.yaml b/falcosidekick/Chart.yaml index 981c30b95..e96f958e4 100644 --- a/falcosidekick/Chart.yaml +++ b/falcosidekick/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v1 -appVersion: 2.14.0 +appVersion: 2.15.0 description: A simple daemon to help you with falco's outputs icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png name: falcosidekick -version: 0.1.27 +version: 0.1.28 keywords: - monitoring - security diff --git a/falcosidekick/README.md b/falcosidekick/README.md index 1ad474785..57a77f973 100644 --- a/falcosidekick/README.md +++ b/falcosidekick/README.md @@ -29,6 +29,7 @@ Currently available outputs are : * [**Influxdb**](https://www.influxdata.com/products/influxdb-overview/) * [**AWS Lambda**](https://aws.amazon.com/lambda/features/) * [**AWS SQS**](https://aws.amazon.com/sqs/features/) +* [**AWS SNS**](https://aws.amazon.com/sns/features/) * **SMTP** (email) * [**Opsgenie**](https://www.opsgenie.com/) * [**StatsD**](https://github.com/statsd/statsd) (for monitoring of `falcosidekick`) @@ -83,75 +84,77 @@ The following table lists the configurable parameters of the Falcosidekick chart | `slack.icon` | Slack icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | | `slack.username` | Slack username | `falcosidekick` | | `slack.outputformat` | `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack) | `all` | -| `slack.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `slack.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `slack.messageformat` | a Go template to format Slack Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | | | `rocketchat.webhookurl` | Rocketchat Webhook URL (ex: https://XXXX/hooks/YYYY), if not `empty`, Rocketchat output is *enabled* | | | `rocketchat.icon` | Rocketchat icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | | `rocketchat.username` | Rocketchat username | `falcosidekick` | | `rocketchat.outputformat` | `all` (default), `text` (only text is displayed in Rocketcaht), `fields` (only fields are displayed in Rocketchat) | `all` | -| `rocketchat.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `rocketchat.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `rockerchat.messageformat` | a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | | | `mattermost.webhookurl` | Mattermost Webhook URL (ex: https://XXXX/hooks/YYYY), if not `empty`, Mattermost output is *enabled* | | | `mattermost.footer` | Mattermost Footer | https://github.com/falcosecurity/falcosidekick | | `mattermost.icon` | Mattermost icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | | `mattermost.username` | Mattermost username | `falcosidekick` | | `mattermost.outputformat` | `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Mattermost) | `all` | -| `mattermost.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `mattermost.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `mattermost.messageformat` | a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | | | `teams.webhookurl` | Teams Webhook URL (ex: https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY"), if not `empty`, Teams output is *enabled* | | | `teams.activityimage` | Teams section image | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | | `teams.outputformat` | `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams) | `all` | -| `teams.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `teams.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `datadog.apikey` | Datadog API Key, if not `empty`, Datadog output is *enabled* | | | `datadog.host` | Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com" | https://api.datadoghq.com | -| `datadog.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `datadog.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `discord.webhookurl` | Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is enabled | | | `discord.icon` | Discord icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | -| `discord.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `discord.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `alertmanager.hostport` | AlertManager http://host:port, if not `empty`, AlertManager is *enabled* | | -| `alertmanager.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `alertmanager.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `elasticsearch.hostport` | Elasticsearch http://host:port, if not `empty`, Elasticsearch is *enabled* | | | `elasticsearch.index` | Elasticsearch index | `falco` | | `elasticsearch.type` | Elasticsearch document type | `event` | | `elasticsearch.suffix` | date suffix for index rotation : `daily`, `monthly`, `annually`, `none` | `daily` | -| `elasticsearch.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `elasticsearch.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `influxdb.hostport` | Influxdb http://host:port, if not `empty`, Influxdb is *enabled* | | | `influxdb.database` | Influxdb database | `falco` | | `influxdb.user` | User to use if auth is enabled in Influxdb | | | `influxdb.password` | Password to use if auth is enabled in Influxdb | | -| `influxdb.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `influxdb.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `loki.hostport` | Loki http://host:port, if not `empty`, Loki is *enabled* | | -| `loki.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `loki.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `nats.hostport` | NATS "nats://host:port", if not `empty`, NATS is *enabled* | | -| `nats.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `nats.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `aws.accesskeyid` | AWS Access Key Id (optionnal if you use EC2 Instance Profile) | | | `aws.secretaccesskey` | AWS Secret Access Key (optionnal if you use EC2 Instance Profile) | | | `aws.region` | AWS Region (optionnal if you use EC2 Instance Profile) | | | `aws.lambda.functionname` | AWS Lambda Function Name, if not empty, AWS Lambda output is enabled | | -| `aws.lambda.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `aws.lambda.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | +| `aws.sns.topicarn` | AWS SNS TopicARN, if not empty, AWS SNS output is enabled | | +| `aws.sns.rawjson` | Send RawJSON from `falco` or parse it to AWS SNS | | +| `aws.sns.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `aws.sqs.url` | AWS SQS Queue URL, if not empty, AWS SQS output is enabled | | -| `aws.sqs.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `aws.sqs.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `smtp.hostport` | "host:port" address of SMTP server, if not empty, SMTP output is enabled | | | `smtp.user` | user to access SMTP server | | | `smtp.password` | password to access SMTP server | | | `smtp.from` | Sender address (mandatory if SMTP output is enabled) | | | `smtp.to` | comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled) | | | `smtp.outputformat` | html, text | `html` | -| `smtp.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `smtp.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `opsgenie.apikey` | Opsgenie API Key, if not empty, Opsgenie output is enabled | | | `opsgenie.region` | (`us` or `eu`) region of your domain | `us` | -| `opsgenie.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `opsgenie.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `statsd.forwarder` | The address for the StatsD forwarder, in the form http://host:port, if not empty StatsD is enabled | | | `statsd.namespace` | A prefix for all metrics | `falcosidekick` | | `dogstatsd.forwarder` | The address for the DogStatsD forwarder, in the form http://host:port, if not empty DogStatsD is enabled | | | `dogstatsd.namespace` | A prefix for all metrics | `falcosidekick` | | `dogstatsd.tags` | A comma-separated list of tags to add to all metrics | | | `webhook.address` | Webhook address, if not empty, Webhook output is enabled | | -| `webhook.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `webhook.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | | `azure.eventhub.name` | Name of the Hub, if not empty, EventHub is *enabled* | | | `azure.eventhub.namespace` | Name of the space the Hub is in | | -| `azure.eventhub.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | -| `podSecurityPolicy.create` | create a PodSecurityPolicy | `false` | +| `azure.eventhub.minimumpriority` | minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informational|debug or ""` | `debug` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -160,7 +163,7 @@ Specify each parameter using the `--set key=value[,key=value]` argument to `helm helm install falcosidekick --set debug=true falcosecurity/falcosidekick ``` -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example: ```bash helm install falcosidekick -f values.yaml falcosecurity/falcosidekick @@ -168,3 +171,6 @@ helm install falcosidekick -f values.yaml falcosecurity/falcosidekick > **Tip**: You can use the default [values.yaml](values.yaml) +## Metrics + +A `prometheus` endpoint can be scrapped at `/metrics`. diff --git a/falcosidekick/templates/deployment.yaml b/falcosidekick/templates/deployment.yaml index 9ad17c3d9..e0a8b92ab 100644 --- a/falcosidekick/templates/deployment.yaml +++ b/falcosidekick/templates/deployment.yaml @@ -205,6 +205,14 @@ spec: - name: AWS_LAMBDA_MINIMUMPRIORITY value: {{ .Values.config.aws.lambda.minimumpriority | quote }} {{- end }} + {{- if .Values.config.aws.sns.topicarn }} + - name: AWS_SNS_TOPICARN + value: {{ .Values.config.aws.sns.topicarn | quote }} + - name: AWS_SNS_RAWJSON + value: {{ .Values.config.aws.sns.rawjson }} + - name: AWS_SNS_MINIMUMPRIORITY + value: {{ .Values.config.aws.sns.minimumpriority | quote }} + {{- end }} {{- if .Values.config.aws.sqs.url }} - name: AWS_SQS_URL value: {{ .Values.config.aws.sqs.functionname | quote }} diff --git a/falcosidekick/values.yaml b/falcosidekick/values.yaml index a68b854c8..cf1cf1a6e 100644 --- a/falcosidekick/values.yaml +++ b/falcosidekick/values.yaml @@ -6,7 +6,7 @@ replicaCount: 1 image: repository: falcosecurity/falcosidekick - tag: 2.14.0 + tag: 2.15.0 pullPolicy: IfNotPresent podSecurityContext: @@ -99,6 +99,10 @@ config: lambda: functionname : "" minimumpriority: "" + sns: + topicarn : "" + rawjson: false + minimumpriority: "" sqs: url : "" minimumpriority: ""