Add custom tags to all rules without manually overriding or appending each rule
Closed this issue · 1 comments
I’m forwarding alerts from my dev cluster to my observability cluster, and I’d like to add the "env" to the tags of each rule.
I already did something similar using customfields: "env:dev"
but using tags I would also be able to filter by it in the UI, which I like better.
I know it’s possible using something like this:
- rule: Some Rule Name
tags: [my_new_tag]
tags: append
But it would require me to go over each rule manually. I was hoping this would work:
- rule: *
tags: [my_new_tag]
tags: append
But it’s bad syntax 😄
It can be supporting a wildcard for rule names or maybe sidekick can do this somehow (not sure).
For now I thought I can use an initContainer like this:
- name: add-kuku-tag
image: alpine/k8s:1.28.13
- name: TAG
value: "kuku"
- name: RULES_DIR
value: "/etc/falco"
value: "/etc/falcoctl/falcoctl.yaml"
command: ["/bin/sh"]
- -c
- |
# Install falcoctl
LATEST=$(curl -sI | awk '/location: /{gsub("\r","",$2);split($2,v,"/");print substr(v[8],2)}')
curl --fail -LS "${LATEST}/falcoctl_${LATEST}_linux_amd64.tar.gz" | tar -xz
install -o root -g root -m 0755 falcoctl /usr/local/bin/falcoctl
# Add the Falco index
falcoctl index add falcosecurity
# Fix bug where falcoctl would fail to pull from the registry due to auth error
yq eval 'del(.registry.auth)' -i $FALCOCTL_CONFIG
# Install falco-rules artifact
falcoctl artifact install falco-rules:3 \
--allowed-types rulesfile,plugin \
--resolve-deps \
--rulesfiles-dir /rulesfiles \
--plugins-dir /plugins || { echo "Failed to install falco-rules"; exit 1; }
# Copy the installed rules to the shared volume
cp -r /rulesfiles/* "$RULES_DIR/"
echo "Copied rules to $RULES_DIR"
ls -la "$RULES_DIR"
# Add TAG to the tags list in falco_rules.yaml
yq eval --inplace '.[].tags += ["'$TAG'"]' "$RULES_DIR/falco_rules.yaml"
echo "Added tag '$TAG' to falco_rules.yaml"
- name: rulesfiles
mountPath: /rulesfiles
- name: plugins
mountPath: /plugins
- name: rulesfiles-install-dir
mountPath: /etc/falco
This works, but the rules will be overridden by the Falco Follower in the future, I would need to restart the pod to have the initContainer do its thing again, which isn't ideal.
Additional context
The customfields
option is nice, but the Tags
in the UI are actually filterable from the menu, which is way more convenient when looking for custom rules for example.
The PR with the feature has been merged, it will be included in the next release.