Blog: GitLab Container Registry now supports Falcoctl OCI Artifacts

Fri, 11 Aug 2023 00:00:00 +0000

Today, we'd like to share with the Falco community the latest contribution we (w/Emin Aktas) made to GitLab Container Registry.

We noticed that GitLab Container Registry didn't support Falcoctl OCI Artifact mediaTypes while we were pushing the Falco rules stored from GitHub container registry to GitLab container registry. We decided then to contribute to GitLab Container Registry by adding the support for Falcoctl OCI Artifact mediaTypes.

Error: PUT https://registry.gitlab.com/v2/x/falcosecurity/rules/k8saudit-rules/manifests/1: MANIFEST_INVALID: manifest invalid; unknown media type: application/vnd.cncf.falco.rulesfile.config.v1+json
Error: PUT https://registry.gitlab.com/v2/x/falcosecurity/plugins/k8saudit/manifests/sha256:b29c97a6590486f8b3b83644677e11d2f68e201a7035699189653d7f571d7e13: MANIFEST_INVALID: manifest invalid; unknown media type: application/vnd.cncf.falco.plugin.config.v1+json

You can learn more about our contribution here. Once the feature is released, planned for GitLab 16.3, it will allow you to pull and push Falcoctl OCI Artifacts from and to GitLab Container Registry.

Falcoctl is one of the newest development efforts from the Falco community. It is a CLI tool that allows you to manage the complete lifecycle of your Falco rules and plugins by leveraging the power of OCI Artifacts.

For those who are not familiar with the OCI Artifacts concept, the OCI Artifacts specification is a way to extend the OCI Registry specification to support storing and retrieving arbitrary content, you can learn more about OCI Artifacts concept, here. OCI Artifacts are important because today's moden software requires storing more than just container images in OCI registries such as the following artifacts would be great use-case examples of that:

Helm charts
WebAssembly modules
Falco rules and plugins. :)
...many other custom artifacts

You can even create your own custom OCI Artifacts. A key thing of OCI registries is uniquely identifying the type. This is done by using a media type, which is a string that identifies the type of content stored in the registry. The media type is used to determine how to interpret the content when it is retrieved from the registry. To learn more about how you can write your own custom OCI Artifacts, you can check out the OCI Artifacts Authoring guide.

Distributing software artifacts as OCI Artifacts served by OCI registries offers a standardized, secured, and efficient way to consume and reuse content within the container ecosystem, making it easier to integrate, distribute, and manage them across different environments and tools.

Hope you can enjoy the new feature once it's released. See you next time! :)

Blog: Rule basics for the Falco 3.0.0 Helm chart

Thu, 09 Feb 2023 00:00:00 +0000

The new Falco Helm chart 3.0.0 (full documentation, upgrade information) comes with a new way to automatically update the Falco rules that are currently loaded. Of course, you can enable, disable and configure this functionality to your liking. Below, we list a number of common basic use cases and how to easily configure Falco for each:

Automatically update rules from the Falco organization

If you install the new helm chart with:

helm install falco

Falco, by default, will load the latest ruleset that is compatible with your Falco version and keep it up to date automatically. In Falco 0.34.0 this is the 0.x.x line of rules published by the Falco organization, following the tag 0 published on GitHub Packages.

Use the rules embedded in the Falco image

The Falco image ships with a snapshot of the latest version of the official Falco org rules. If you wish to use that without downloading anything at runtime you can install Falco with:

helm install falco \
--set falcoctl.artifact.install.enabled=false \
--set falcoctl.artifact.follow.enabled=false

Add custom rules with a configmap

On top of any scenario above you can add the customRules value to add your own custom rules in a configmap. For instance, if we create a file as described in the documentation and then add it to our one of the above command lines with:

-f custom_rules.yaml

It will be loaded and configured in our Falco instance.

Only use rules supplied via configmap

If you only want to use the rules that you add via configmap, discarding all automated updates and default rules shipping in the image you have to remove the falco_rules.yaml entry from the Falco configuration. Assuming you have your custom rules in custom_rules.yaml: