Falco Weekly 46
This is the first of a series of weekly blog post whose aim is to give a quick overview about the development of Falco and its related projects.
What happened in Falco this week?
Let's go through the major changes that happened in various repositories under the falcosecurity organization.
Lots of cleanups happened in the libs repo; the most outstanding ones being:
udigengine removal (https://github.com/falcosecurity/libs/pull/1485)
- dropped legacy metadata clients for
- cleaned up
proccallback handling code (https://github.com/falcosecurity/libs/pull/1471)
Please, note that the removal of the legacy
k8s client is part of a bigger effort to entirely rewrite it as a plugin, with a more future proof architecture and language.
See the tracking issue: https://github.com/falcosecurity/libs/issues/987.
All of these cleanups account for ~26k loc removed!! :rocket:
Moreover, some fixes landed:
- removed some more Undefined Behavior warnings from integer copies (https://github.com/falcosecurity/libs/pull/1481)
- solved win32 linking issues with zlib (https://github.com/falcosecurity/libs/pull/1484)
libbpfstats from being collected with no bpf stats (https://github.com/falcosecurity/libs/pull/1487)
Finally, some new features were merged:
- libraries will now be properly installed under
- added ppc64le experimental support for modern bpf driver (https://github.com/falcosecurity/libs/pull/1475)
- upgraded openssl to 3.1.4 (https://github.com/falcosecurity/libs/pull/1488)
Also, we now have a target release date and a tracking issue for libs 0.14 and next driver release: https://github.com/falcosecurity/libs/issues/1482.
Now Falco builds and runs on win32 and osx too! https://github.com/falcosecurity/falco/pull/2889 While Falco won't ship for these platforms, we will now have proper CI for them.
Following the huge round of cleanups in libs, k8s and mesos related configs and options were removed: https://github.com/falcosecurity/falco/pull/2914.
Also, another small cleanup relative to the legacy
k8saudit implementantion (not the plugin one!) was merged: https://github.com/falcosecurity/falco/pull/2913.
While the code for the new
driver-loader feature for
falcoctl is being reviewed (part of the effort to drop
falco-driver-loader script (https://github.com/falcosecurity/falcoctl/issues/327 and https://github.com/falcosecurity/falco/issues/2675), some features landed too:
- fetch config layer for a specific platform (https://github.com/falcosecurity/falcoctl/pull/349)
- added a new
artifact manifestcommand (https://github.com/falcosecurity/falcoctl/pull/351)
A new repo, k8s-metacollector, was donated to the falcosecurity.
It is a self-contained module that fetched metadata from kubernetes API server and dispatches them to Falco instances via gRPC.
A new plugin is being developed to receive those metadata from gRPC, and will be shipped with Falco 0.37.
Driverkit gained support for SUSE Linux Enterprise: https://github.com/falcosecurity/driverkit/pull/304.
Let's meet 🤝
We meet every week in our community calls, if you want to know the latest and the greatest you should join us there!
If you have any questions
Thanks to all the amazing contributors!
Aldo, Andrea, Federico