From 4e3fa494ff0a2e7beec5a91aebb3409a285e38f3 Mon Sep 17 00:00:00 2001 From: Jose Angel Santiago Date: Thu, 19 Nov 2020 09:58:06 +0100 Subject: [PATCH] new: Add Mutual TLS deployment Signed-off-by: Jose Angel Santiago <> --- falco-exporter/CHANGELOG.md | 5 ++++ falco-exporter/Chart.yaml | 2 +- falco-exporter/README.md | 17 ++++++++++- falco-exporter/templates/NOTES.txt | 7 +++-- falco-exporter/templates/daemonset.yaml | 28 +++++++++++++++++-- .../templates/server-secret-certs.yaml | 13 +++++++++ falco-exporter/values.yaml | 11 ++++++-- 7 files changed, 73 insertions(+), 10 deletions(-) create mode 100644 falco-exporter/templates/server-secret-certs.yaml diff --git a/falco-exporter/CHANGELOG.md b/falco-exporter/CHANGELOG.md index 4630862e5..e78788462 100644 --- a/falco-exporter/CHANGELOG.md +++ b/falco-exporter/CHANGELOG.md @@ -2,6 +2,11 @@ This file documents all notable changes to `falco-exporter` Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v0.4.0 + +### Mayor Changes + +* Add Mutual TLS for falco-exporter enable/disabled feature ## v0.3.8 diff --git a/falco-exporter/Chart.yaml b/falco-exporter/Chart.yaml index 7ec0c7c2a..7d5491895 100644 --- a/falco-exporter/Chart.yaml +++ b/falco-exporter/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.3.8 +version: 0.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/falco-exporter/README.md b/falco-exporter/README.md index a57c35cb3..6ff9db104 100644 --- a/falco-exporter/README.md +++ b/falco-exporter/README.md @@ -61,7 +61,7 @@ The following table lists the main configurable parameters of the chart and thei | `grafanaDashboard.enabled` | Enable the falco security dashboard, see https://github.com/falcosecurity/falco-exporter#grafana | `false` | | `grafanaDashboard.namespace` | The namespace to deploy the dashboard configmap in | `default` | | `scc.create` | Create OpenShift's Security Context Constraint | `true` | - +| `service.mTLS.enabled` | Enable falco-exporter server Mutual TLS feature | `false` Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters. @@ -77,4 +77,19 @@ Alternatively, a YAML file that specifies the parameters' values can be provided helm install falco-exporter -f values.yaml falcosecurity/falco-exporter ``` +### Enable Mutual TLS + +Mutual TLS for `/metrics` endpoint can be enabled to prevent alerts content from being consumed by unauthorized components. + +To install falco-exporter with Mutual TLS enabled, you have to: + +```shell +helm install falco-exporter \ + --set service.mTLS.enabled=true \ + --set-file service.mTLS.server.key=/path/to/server.key \ + --set-file service.mTLS.server.crt=/path/to/server.crt \ + --set-file service.mTLS.ca.crt=/path/to/ca.crt \ + falcosecurity/falco-exporter +``` + > **Tip**: You can use the default [values.yaml](values.yaml) diff --git a/falco-exporter/templates/NOTES.txt b/falco-exporter/templates/NOTES.txt index 1e219cf01..724eb64b1 100644 --- a/falco-exporter/templates/NOTES.txt +++ b/falco-exporter/templates/NOTES.txt @@ -2,14 +2,15 @@ Get the falco-exporter metrics URL by running these commands: {{- if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "falco-exporter.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT/metrics + echo {{- if .Values.service.mTLS.enabled }} https{{- else }} http{{- end }}://$NODE_IP:$NODE_PORT/metrics {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status of by running 'kubectl get svc -w {{ template "falco-exporter.fullname" . }}' export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "falco-exporter.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }}/metrics + echo {{- if .Values.service.mTLS.enabled }} https{{- else }} http{{- end }}://$SERVICE_IP:{{ .Values.service.port }}/metrics {{- else if contains "ClusterIP" .Values.service.type }} export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "falco-exporter.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:{{ .Values.service.targetPort }}/metrics to use your application" + echo "Visit {{- if .Values.service.mTLS.enabled }} https{{- else }} http{{- end }}://127.0.0.1:{{ .Values.service.targetPort }}/metrics to use your application" kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.service.targetPort }} {{- end }} + echo {{- if .Values.service.mTLS.enabled }} "You'll need a valid client certificate and its corresponding key for Mutual TLS handshake" {{- end }} diff --git a/falco-exporter/templates/daemonset.yaml b/falco-exporter/templates/daemonset.yaml index 7107a3f3e..097a3704e 100644 --- a/falco-exporter/templates/daemonset.yaml +++ b/falco-exporter/templates/daemonset.yaml @@ -40,18 +40,23 @@ spec: {{- end }} - --timeout={{ .Values.falco.grpcTimeout }} - --listen-address=0.0.0.0:{{ .Values.service.port }} + {{- if .Values.service.mTLS.enabled }} + - --server-ca=/etc/falco/server-certs/ca.crt + - --server-cert=/etc/falco/server-certs/server.crt + - --server-key=/etc/falco/server-certs/server.key + {{- end }} ports: - name: metrics containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: - path: /metrics - port: {{ .Values.service.port }} + path: /liveness + port: {{ .Values.probesPort }} readinessProbe: httpGet: path: /readiness - port: {{ .Values.service.port }} + port: {{ .Values.probesPort }} resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: @@ -64,6 +69,11 @@ spec: name: certs-volume readOnly: true {{- end }} + {{- if .Values.service.mTLS.enabled }} + - mountPath: /etc/falco/server-certs + name: server-certs-volume + readOnly: true + {{- end }} volumes: {{- if .Values.falco.grpcUnixSocketPath }} - name: falco-socket-dir @@ -81,6 +91,18 @@ spec: - key: ca.crt path: ca.crt {{- end }} + {{- if .Values.service.mTLS.enabled }} + - name: server-certs-volume + secret: + secretName: {{ include "falco-exporter.fullname" . }}-server-certs + items: + - key: server.key + path: server.key + - key: server.crt + path: server.crt + - key: ca.crt + path: ca.crt + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/falco-exporter/templates/server-secret-certs.yaml b/falco-exporter/templates/server-secret-certs.yaml new file mode 100644 index 000000000..2d372f8be --- /dev/null +++ b/falco-exporter/templates/server-secret-certs.yaml @@ -0,0 +1,13 @@ +{{- if .Values.service.mTLS.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falco-exporter.fullname" . }}-server-certs + labels: + {{- include "falco-exporter.labels" . | nindent 4 }} +type: Opaque +data: + server.crt: {{ .Values.service.mTLS.server.crt | b64enc | quote }} + server.key: {{ .Values.service.mTLS.server.key | b64enc | quote }} + ca.crt: {{ .Values.service.mTLS.ca.crt | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/falco-exporter/values.yaml b/falco-exporter/values.yaml index 6c8efbfd3..7feb42062 100644 --- a/falco-exporter/values.yaml +++ b/falco-exporter/values.yaml @@ -12,10 +12,16 @@ service: annotations: prometheus.io/scrape: "true" prometheus.io/port: "9376" + # Enable Mutual TLS for HTTP metrics server + mTLS: + enabled: false + +# /readiness and /liveness probes port +probesPort: 19376 image: repository: falcosecurity/falco-exporter - tag: 0.3.0 + tag: 0.4.1 pullPolicy: IfNotPresent imagePullSecrets: [] @@ -95,4 +101,5 @@ grafanaDashboard: scc: # true here enabled creation of Security Context Constraints in Openshift - create: true \ No newline at end of file + create: true +