Add custom tags to all rules without manually overriding or appending each rule
dbeilin opened this issue · 0 comments
Motivation
I’m forwarding alerts from my dev cluster to my observability cluster, and I’d like to add the "env" to the tags of each rule.
I already did something similar using customfields: "env:dev" but using tags I would also be able to filter by it in the UI, which I like better.
I know it’s possible using something like this:
- rule: Some Rule Name
tags: [my_new_tag]
override:
tags: append
But it would require me to go over each rule manually. I was hoping this would work:
- rule: *
tags: [my_new_tag]
override:
tags: append
But it’s bad syntax 😄
Feature
It can be supporting a wildcard for rule names or maybe sidekick can do this somehow (not sure).
Alternatives
For now I thought I can use an initContainer:
extra:
initContainers:
- name: add-kuku-tag
image: alpine/k8s:1.28.13
command: ["/bin/sh"]
args:
- -c
- |
#!/bin/sh
TAG="kuku"
RULES_DIR="/etc/falco"
if [ ! -d "$RULES_DIR" ]; then
echo "Rules directory $RULES_DIR does not exist"
exit 1
fi
echo "Contents of $RULES_DIR:"
ls -la "$RULES_DIR"
volumeMounts:
- name: rulesfiles-install-dir
mountPath: /etc/falco
But I noticed that the rule file doesn't exist when the container is finished running:
Contents of /etc/falco:
+ TAG=kuku
+ RULES_DIR=/etc/falco
+ '[' '!' -d /etc/falco ]
+ echo 'Contents of /etc/falco:'
+ ls -la /etc/falco
total 8
drwxrwxrwx 2 root root 4096 Aug 25 14:14 .
drwxr-xr-x 1 root root 4096 Aug 25 14:14 ..
Stream closed EOF for falco/falco-k2nj2 (add-kuku-tag)
So the rules are loaded after init or did I get it wrong?
Additional context
The customfields option is nice, but the Tags in the UI are actually filterable from the menu, which is way more convenient when looking for custom rules for example.
Thanks