resource "kubernetes_service_account" "falco_sa" {
metadata {
name = "falco-account"
labels = {
app = "falco"
role = "security"
}
}
automount_service_account_token = true
}
resource "kubernetes_cluster_role" "falco_cr" {
metadata {
name = "falco-cluster-role"
labels = {
app = "falco"
role = "security"
}
}
rule {
api_groups = ["extensions", ""]
resources = ["nodes", "namespaces", "pods", "replicationcontrollers", "replicasets", "services", "daemonsets", "deployments", "events", "configmaps"]
verbs = ["get", "list", "watch"]
}
rule {
non_resource_urls = ["/healthz", "/healthz/*"]
verbs = ["get"]
}
}
resource "kubernetes_cluster_role_binding" "falco_crb" {
metadata {
name = "falco-cluster-role-bind"
labels = {
app = "falco"
role = "security"
}
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.falco_sa.metadata.0.name
namespace = "default"
}
role_ref {
kind = "ClusterRole"
name = kubernetes_cluster_role.falco_cr.metadata.0.name
api_group = "rbac.authorization.k8s.io"
}
}
resource "kubernetes_config_map" "falco_cfgmap" {
metadata {
name = "falco-cfgmap"
labels = {
app = "falco"
role = "security"
}
}
data = {
"application_rules.yaml" = file("configs/falco/application_rules.yaml")
"falco_rules.local.yaml" = file("configs/falco/falco_rules.local.yaml")
"falco_rules.yaml" = file("configs/falco/falco_rules.yaml")
"k8s_audit_rules.yaml" = file("configs/falco/k8s_audit_rules.yaml")
"falco.yaml" = file("configs/falco/falco.yaml")
}
}
resource "kubernetes_daemonset" "falco_ds" {
metadata {
name = "falco-daemonset"
labels = {
app = "falco"
role = "security"
}
}
spec {
selector {
match_labels = {
app = "falco"
role = "security"
}
}
template {
metadata {
labels = {
app = "falco"
role = "security"
}
}
spec {
host_network = true
service_account_name = kubernetes_service_account.falco_sa.metadata.0.name
dns_policy = "ClusterFirstWithHostNet"
volume {
name = "docker-socket"
host_path {
path = "/var/run/docker.socket"
}
}
volume {
name = "containerd-socket"
host_path {
path = "/run/containerd/containerd.sock"
}
}
volume {
name = "dev-fs"
host_path {
path = "/dev"
}
}
volume {
name = "proc-fs"
host_path {
path = "/proc"
}
}
volume {
name = "boot-fs"
host_path {
path = "/boot"
}
}
volume {
name = "lib-modules"
host_path {
path = "/lib/modules"
}
}
volume {
name = "usr-fs"
host_path {
path = "/usr"
}
}
volume {
name = "etc-fs"
host_path {
path = "/etc"
}
}
volume {
name = "dshm"
empty_dir {
medium = "Memory"
}
}
volume {
name = "falco-config"
config_map {
name = kubernetes_config_map.falco_cfgmap.metadata.0.name
}
}
container {
name = "falco"
image = "falcosecurity/falco:latest"
args = [
"/usr/bin/falco",
"--cri", "/host/run/containerd/containerd.sock",
"-K", "/var/run/secrets/kubernetes.io/serviceaccount/token",
"-k", "https://$(KUBERNETES_SERVICE_HOST)",
"-pk",
]
security_context {
privileged = true
}
env {
name = "SYSDIG_BPF_PROBE"
value = ""
}
env {
name = "KBUILD_EXTRA_CPPFLAGS"
value = "-DCOS_73_WORKAROUND"
}
volume_mount {
name = "docker-socket"
mount_path = "/host/var/run/docker.sock"
}
volume_mount {
name = "containerd-socket"
mount_path = "/host/run/containerd/containerd.sock"
}
volume_mount {
name = "dev-fs"
mount_path = "/host/dev"
}
volume_mount {
name = "proc-fs"
mount_path = "/host/proc"
read_only = true
}
volume_mount {
name = "boot-fs"
mount_path = "/host/boot"
read_only = true
}
volume_mount {
name = "lib-modules"
mount_path = "/host/lib/modules"
read_only = true
}
volume_mount {
name = "usr-fs"
mount_path = "/host/usr"
read_only = true
}
volume_mount {
name = "etc-fs"
mount_path = "/host/etc"
read_only = true
}
volume_mount {
name = "dshm"
mount_path = "/dev/shm"
}
volume_mount {
name = "falco-config"
mount_path = "/etc/falco"
}
}
}
}
}
}
resource "kubernetes_service" "falco_svc" {
metadata {
name = kubernetes_daemonset.falco_ds.metadata.0.name
labels = {
app = "falco"
role = "security"
}
}
spec {
type = "ClusterIP"
port {
protocol = "TCP"
port = 8765
}
selector = {
app = "falco"
role = "security"
}
}
}