Falco 0.30.0

Today we announce the fall release of Falco 0.30.0 🌱

This version includes new features, important fixes, and an exciting proposal for a libs plugin system!

Novelties 🆕

Let's review some of the highlights of the new release.

New features and fixes

This release introduces a new --k8s-node command-line option (#1671), which allows filtering by node name when requesting pod metadata to the K8s API server. Typically, it should be set to the node on which Falco runs. If empty, no filter is set, which may incur a performance penalty on large clusters. This new feature represents a significant performance improvement for Falco, and closes a long-waited fix to the issue confirmed by many deployments of Falco on production-scale Kubernetes clusters.

The update to the drivers version 3aa7a83 completes the performance enhancements for the collection of metadata from container orchestrators, and includes improvements to libsinsp public API, allowing consumers to modify the key parameters that determine the behavior of metadata collection from orchestrators like Kubernetes or Mesos. These parameters are now exposed as customizable settings in Falco, enabling users to tune metadata fetching behavior to their deployments. The default values are:

  max_mb: 100
  chunk_wait_us: 1000
  watch_freq_sec: 1

This release also adds the ability to export rule tags and event source in gRPC and JSON outputs! This behavior can be configured, and enables Falco event consumers, such as Falco Sidekick, to take full advantage of Falco's event tagging feature. Happy tagging :)

Libs plugin system proposal

A proposal for a libs plugin system has been accepted, and we couldn't be more excited! The possibilities are limitless! 🎉

Plugins will allow users to easily extend the functionality of the libraries and, as a consequence, of Falco and any other tool based on the libraries. This proposal, in particular, focuses on two types of plugins: source plugins and extractor plugins. A source plugin implements a new sinsp/scap event source (e.g., "k8s_audit"), while an extractor plugin focuses on field extraction from events generated by other plugins, or by the core libraries.

Plugins are dynamic libraries (.so files in Unix, .dll files in windows) that export a minimum set of functions that the libraries will recognize. They can be written in any language, as long as they export the required functions. Go, however, is the preferred language to write plugins, followed by C/C++. To facilitate the development of plugins, a golang SDK has been developed.

Both the experimental plugin system and SDK are now incubating projects in the Falco organization, and include a set of initial examples. We invite the community to try them out, contribute new plugins, and join efforts to build together the foundation for cloud-native runtime security! 🚀

New Falco release schedule

Finally, after discussing with the community, a new release schedule has been approved for Falco. New releases are now due to happen three times per year: at the end of January, May, and September. We will continue to release hot fixes and minor patches in between major releases. As always, feedback, bug reports, and contributions are welcome! :)

Try it!

As usual, in case you just want to try out the stable Falco 0.30.0, you can install its packages following the process outlined in the docs:

Do you rather prefer using the container images? No problem at all! 🐳

You can read more about running Falco with Docker in the docs.

You can also find the Falcosecurity container images on the public AWS ECR gallery:

What's next 🔮

Falco 0.31.0 is anticipated to be released in January 2022!

As usual, the final release date will be discussed during the Falco Community Calls.

Let's meet 🤝

As always, we meet every week in our community calls, if you want to know the latest and the greatest you should join us there!

If you have any questions

Thanks to all the amazing contributors! Falco reached 100 contributors, and all the other Falco projects are receiving a vital amount of contributions every day.

Special kudos to Falco Sidekick, which just passed the mark of 1.5M docker pulls on docker hub!

Keep up the good work!