Falco fails to start on AKS 1.16

[chriss745]

I am using release v1.0.0 on an AKS 1.16.7 environment, everything works fine except Falco pods keep restarting with message:

* Setting up /usr/src links from host
* Unloading falco-probe, if present
* Running dkms install for falco
Error! Could not find module source directory.
Directory: /usr/src/falco-latest does not exist.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/latest/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 4.15.0-1077-azure
Found kernel config at /host/boot/config-4.15.0-1077-azure
* Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-latest-x86_64-4.15.0-1077-azure-6a17f49f6afd7abb614aa1daa67c5428.ko
curl: (22) The requested URL returned error: 404 Not Found
Download failed, consider compiling your own falco-probe and loading it or getting in touch with the Falco community
Thu May 28 07:49:52 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Thu May 28 07:49:52 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Thu May 28 07:49:53 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu May 28 07:49:53 2020: Unable to load the driver. Exiting.
Thu May 28 07:49:53 2020: Runtime error: error opening device /dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

Do you know if can I fix that somehow through a custom values.yaml?

Thank you!

[chriss745]

I just checked it with v0.17 and falco works on that version with AKS 1.16.7. Unfortunately I cannot use v.0.17 as there are features in v.1.0.0 what we would like to use.

[frankreno]

@chriss745 - We believe we have found the issue with Falco. Long story short the issue is due to the fact that /host/etc needs to be mounted for the helm to start. However, it is not possible to do this in the helm chart today without also enabling ebpf which breaks on non-ebpf supported OS. This is the case for helm chart we use is from helm/stable.

However, the Falco team is moving the chart out of Helm stable to https://github.com/falcosecurity/charts. We will also work on this migration, however, I have a workaround for you in the mean time.

• Install 1.0 which will have falco.enabled=false set by default. Keep this as we do not want to deploy the helm/stable version of falco.
• Then you can use the following steps to install the new falco chart, which should work and will work for our integration.

Helm2

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install --name falco falcosecurity/falco --set falco.jsonOutput=true

Helm3

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco --set falco.jsonOutput=true

[chriss745]

Thank you Frank, I can confirm the workaround works.

[frankreno]

Thank you for confirming. We will get this fixed in a future release when we migrate off of helm/stable. I am going to leave the issue open until we have the fix packaged.

[perk-sumo]

Fixed upstream.