release: Add falco overrides for the falco GPU alerts

Author: lucianvlad

changelog/0.45.md

@@ -1,9 +1,55 @@
 # v0.45.0
 
-Released 2025-03-12
+Released 2025-03-19
+
+> [!WARNING]
+> **Security Notice(s)**
+>
+> - Upgraded cert-manager to v1.17.1 which addresses critical [CVE-2024-45337](https://github.com/advisories/GHSA-v778-237x-gjrc)
+<!-- -->
+> [!IMPORTANT]
+> **Platform Administrator Notice(s)**
+>
+> - Running `ck8s update-ips` on existing OpenStack CAPI clusters will now allow the entire subnet instead of individual node IPs.
+<!-- -->
+> [!NOTE]
+> **Application Developer Notice(s)**
+>
+> - A new guardrail is added that is enabled by default on ClusterAPI environments. It will by default warn but not deny usage of emptyDir storage, since this can stop cluster autoscaler from scaling down nodes. Read more on [this page](https://elastisys.io/welkin/user-guide/safeguards/enforce-no-local-storage-emptydir/).
+> - A new guardrail is added that is enabled by default on ClusterAPI environments. It will by default warn but not deny usage of Pods without backing controllers, since this can stop cluster autoscaler from scaling down nodes. Read more on [this page](https://elastisys.io/welkin/user-guide/safeguards/enforce-no-pod-without-controller).
+> - Cert-manager was upgraded to v1.17.1. This comes with some potentially [breaking changes](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.0) for [Venafi Issuer](https://cert-manager.io/docs/configuration/venafi/)
+> - RBAC to modify the configmaps `fluentd-extra-config` and `fluentd-extra-plugins`, and to delete any fluentd pod in the `fluentd` namespace has been removed.<br>Reach out to a platform administrator if any additional config or plugins are needed!
 
 ## Changes by kind
 
+### Feature(s)
+
+- [#2414](https://github.com/elastisys/compliantkubernetes-apps/pull/2414) - apps-sc: add policy to reject local storage emptydir [@viktor-f](https://github.com/viktor-f)
+- [#2429](https://github.com/elastisys/compliantkubernetes-apps/pull/2429) - apps: gatekeeper policy to reject pods without controller [@viktor-f](https://github.com/viktor-f)
+- [#2451](https://github.com/elastisys/compliantkubernetes-apps/pull/2451) - Add cert-manager mixin dashboard [@anders-elastisys](https://github.com/anders-elastisys)
+- [ac05981e](https://github.com/elastisys/compliantkubernetes-apps/pull/2465/commits/ac05981ed5305a12a2f54fd5594d44c0727c5287) - gpu-operator: Reconfigre gpu driver version for surpporting ubuntu 24.04 [@HaoruiPeng](https://github.com/HaoruiPeng)
+### Improvement(s)
+
+- [#2418](https://github.com/elastisys/compliantkubernetes-apps/pull/2418) - Update helm/trivy-operator to 0.26.0 and trivy-operator to 0.24.0 [@OlleLarsson](https://github.com/OlleLarsson)
+- [#2435](https://github.com/elastisys/compliantkubernetes-apps/pull/2435) - Upgrade cert-manager helm chart to v1.17.1 [@anders-elastisys](https://github.com/anders-elastisys)
+- [#2438](https://github.com/elastisys/compliantkubernetes-apps/pull/2438) - apps sc: made alert runbooks configurable [@davidumea](https://github.com/davidumea)
+- [#2440](https://github.com/elastisys/compliantkubernetes-apps/pull/2440) - Allow subnet in update-ips [@simonklb](https://github.com/simonklb)
+- [#2448](https://github.com/elastisys/compliantkubernetes-apps/pull/2448) - Make update-ips apply exit 0 even if it has applied diffs [@simonklb](https://github.com/simonklb)
+- [#2450](https://github.com/elastisys/compliantkubernetes-apps/pull/2450) - add ipv6 support to update-ips [@vomba](https://github.com/vomba)
+- [#2454](https://github.com/elastisys/compliantkubernetes-apps/pull/2454) - Upgrade Thanos chart to v15.13.1 [@anders-elastisys](https://github.com/anders-elastisys)
+- [c71b5612](https://github.com/elastisys/compliantkubernetes-apps/pull/2465/commits/c71b5612d6750f2c9d039cb11d9f839ebddb243f) - release: Add falco overrides for the falco GPU alerts [@lucianvlad](https://github.com/lucianvlad)
+### Deprecation(s)
+
+- [#2457](https://github.com/elastisys/compliantkubernetes-apps/pull/2457) - Remove rbac for additional fluentd config and plugins configmaps [@OlleLarsson](https://github.com/OlleLarsson)
+
 ### Other(s)
 
-- [#2464](https://github.com/elastisys/compliantkubernetes-apps/pull/2464) - other: Port patch changelogs v0.42.2, v0.43.1, v0.44.1 [@lunkan93](https://github.com/lunkan93)
+- [#2411](https://github.com/elastisys/compliantkubernetes-apps/pull/2411) - bug: apps: change query expression for LessKubeletsThanNodes alerts [@HaoruiPeng](https://github.com/HaoruiPeng)
+- [#2442](https://github.com/elastisys/compliantkubernetes-apps/pull/2442) - bug: apps sc: Fixed s3 size alert to not double count postgres buckets [@Xartos](https://github.com/Xartos)
+- [#2443](https://github.com/elastisys/compliantkubernetes-apps/pull/2443) - clean-up: Only uninstall with local environment if local cluster exist [@simonklb](https://github.com/simonklb)
+- [#2447](https://github.com/elastisys/compliantkubernetes-apps/pull/2447) - other: Port 0.44.0 [@lunkan93](https://github.com/lunkan93)
+- [#2452](https://github.com/elastisys/compliantkubernetes-apps/pull/2452) - clean-up: Remove (un)encrypted kubeconfig log message [@simonklb](https://github.com/simonklb)
+- [#2456](https://github.com/elastisys/compliantkubernetes-apps/pull/2456) - documentation: Fix LICENSE [@cristiklein](https://github.com/cristiklein)
+- [8618c11a](https://github.com/elastisys/compliantkubernetes-apps/pull/2465/commits/8618c11a1c5172f8ac7738f4c604e156225915c2) - release: Update grafana and opensearch dashboards [@HaoruiPeng](https://github.com/HaoruiPeng)
+- [70645a16](70645a16fd5a3b17bb4d1e3be825faa19720d109) - bug: Fix templating issue for external-dns affinity and resources [@HaoruiPeng](https://github.com/HaoruiPeng)
+- [3f83e724](https://github.com/elastisys/compliantkubernetes-apps/pull/2465/commits/3f83e724a343548c0924a7c94cb396523027cd33) - Add changelog for release v0.45.0 [@HaoruiPeng](https://github.com/HaoruiPeng)

config/common-config.yaml

@@ -1233,3 +1233,38 @@ externalDns:
   #    recordType: A
   #    targets:
   #      - sc control-plane nodes
+gpu:
+  enabled: false
+  operator:
+    resources: {}
+    tolerations: []
+    affinity: {}
+  driver:
+    # use driver version 570.124.06 for supporting cluster running on Ubuntu 24.04.
+    version: "570.124.06"
+    env:
+      - name: NVIDIA_VISIBLE_DEVICES
+        value: all
+  nodeFeatureDiscovery:
+    worker:
+      resources: {}
+      tolerations:
+        - key: elastisys.io/node-type
+          operator: Equal
+          value: gpu
+          effect: NoSchedule
+      affinity: {}
+    controlPlane:
+      resources: {}
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Equal
+          value: ""
+      affinity: {}
+  daemonsets:
+    tolerations:
+      - key: elastisys.io/node-type
+        operator: Equal
+        value: gpu
+        effect: NoSchedule

config/wc-config.yaml

@@ -348,43 +348,6 @@ gatekeeper:
     # - names:
     #     - sealedsecrets.bitnami.com
     #   group: "bitnami.com"
-
     extraServiceAccounts: []
     #  - namespace: "gatekeeper-system"
     #    name: "gatekeeper-admin-upgrade-crds"
-
-gpu:
-  enabled: false
-  operator:
-    resources: {}
-    tolerations: []
-    affinity: {}
-  driver:
-    # use driver version 570.124.06 for supporting cluster running on Ubuntu 24.04.
-    version: "570.124.06"
-    env:
-      - name: NVIDIA_VISIBLE_DEVICES
-        value: all
-  nodeFeatureDiscovery:
-    worker:
-      resources: {}
-      tolerations:
-        - key: elastisys.io/node-type
-          operator: Equal
-          value: gpu
-          effect: NoSchedule
-      affinity: {}
-    controlPlane:
-      resources: {}
-      tolerations:
-        - effect: NoSchedule
-          key: node-role.kubernetes.io/control-plane
-          operator: Equal
-          value: ""
-      affinity: {}
-  daemonsets:
-    tolerations:
-      - key: elastisys.io/node-type
-        operator: Equal
-        value: gpu
-        effect: NoSchedule

helmfile.d/charts/grafana-dashboards/files/welcome.md

@@ -4,6 +4,8 @@
 
 Here you can find the most relevant features and changes for the last couple of releases of Welkin
 
+- Upgrade trivy-operator to v0.26.0 and application to v0.24.0. **[v0.45]**
+- Upgraded cert-manager chart to v1.17.1. **[v0.45]**
 - Upgraded Thanos chart to v15.13.1. **[v0.45]**
 - Added NVIDIA GPU driver support for Ubuntu 24.04. **[v0.45]**
 - Added NVIDIA GPU operator to Welkin. **[v0.44]**

helmfile.d/charts/opensearch/configurer/files/dashboards-resources/welcome.md

@@ -4,6 +4,8 @@
 
 Here you can find the most relevant features and changes for the last couple of releases of Welkin
 
+- Upgrade trivy-operator to v0.26.0 and application to v0.24.0. **[v0.45]**
+- Upgraded cert-manager chart to v1.17.1. **[v0.45]**
 - Upgraded Thanos chart to v15.13.1. **[v0.45]**
 - Added NVIDIA GPU driver support for Ubuntu 24.04. **[v0.45]**
 - Added NVIDIA GPU operator to Welkin. **[v0.44]**

helmfile.d/values/falco/falco-common.yaml.gotmpl

@@ -136,11 +136,17 @@ customRules:
     # This will be added in a later falco rules version as well
     # The fix was added upstream here (with a new condition): https://github.com/falcosecurity/rules/pull/177
     - macro: allowed_clear_log_files
-      condition: (
-        proc.name=containerd and (
-          fd.name startswith "/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/" or
-          fd.name startswith "/var/lib/containerd/tmpmounts/"
-        ))
+      condition: or (
+          proc.name = containerd and (
+            fd.name startswith "/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/" or
+            fd.name startswith "/var/lib/containerd/tmpmounts/"
+          )
+        ) or (
+          proc.name = nvidia-installe and
+          fd.name startswith "/var/log/nvidia-installer.log"
+        )
+      override:
+        condition: append
 
     # Adding a repository to this list will add an exception to the rules:
     # Run shell untrusted
@@ -207,12 +213,32 @@ customRules:
       condition: ( container.image.repository in (trusted_image_repositories) )
 
     {{- if and .Values.calicoAccountant.enabled (eq .Values.calicoAccountant.backend "nftables") }}
-
     # Drop and execute new binary in container
     - list: known_drop_and_execute_containers
       items:
         - ghcr.io/elastisys/calico-accountant
+      override:
+        items: append
+    {{- end }}
+
+    {{- if .Values.gpu.enabled }}
+    # Drop and execute new binary in container
+    - list: known_drop_and_execute_containers
+      items:
+        - nvcr.io/nvidia/cloud-native/gpu-operator-validator
+        - nvcr.io/nvidia/driver
+        - nvcr.io/nvidia/k8s/dcgm-exporter
+      override:
+        items: append
+
+    # Linux Kernel Module Injection Detected
+    - list: allowed_container_images_loading_kernel_module
+      items:
+        - nvcr.io/nvidia/driver
+      override:
+        items: append
     {{- end }}
+
     {{- end }}
 
     {{- if .Values.falco.rulesFiles.incubating.enabled }}

migration/v0.45/README.md

@@ -134,19 +134,25 @@ As with all scripts in this repository `CK8S_CONFIG_PATH` is expected to be set.
     export CK8S_CLUSTER=<wc|sc|both>
     ```
 
-2. Update gatekeeper CRDs:
+1. Upgrade trivy-operator
+
+    ```bash
+    ./migration/v0.45/apply/10-trivy-operator.sh execute
+
+1. Update gatekeeper CRDs:
 
     ```bash
     ./migration/v0.45/apply/20-gatekeeper-crds.sh execute
     ```
 
-3. If you didn't have gpu-operator installed previously, but had `gpu-operator` namespace created, label the namespace:
+1. If you didn't have gpu-operator installed previously, but had `gpu-operator` namespace created, label the namespace:
+
    ```bash
    # only for `gpu-operator` installation
    ./migration/v0.45/apply/40-migrate-gpu-operator-ns.sh execute
    ```
 
-4. Upgrade applications:
+1. Upgrade applications:
 
     ```bash
     ./bin/ck8s apply {sc|wc}

migration/v0.45/apply/40-migrate-gpu-operator-ns.sh

@@ -5,44 +5,6 @@ ROOT="$(readlink -f "$(dirname "${0}")/../../../")"
 # shellcheck source=scripts/migration/lib.sh
 source "${ROOT}/scripts/migration/lib.sh"
 
-# functions currently available in the library:
-#   - logging:
-#     - log_info(_no_newline) <message>
-#     - log_warn(_no_newline) <message>
-#     - log_error(_no_newline) <message>
-#     - log_fatal <message> # this will call "exit 1"
-#
-#   - kubectl
-#     # Use kubectl with kubeconfig set
-#     - kubectl_do <sc|wc> <kubectl args...>
-#     # Perform kubectl delete, will not cause errors if the resource is missing
-#     - kubectl_delete <sc|wc> <resource> <namespace> <name>
-#
-#   - helm
-#     # Use helm with kubeconfig set
-#     - helm_do <sc|wc> <helm args...>
-#     # Checks if a release is installed
-#     - helm_installed <sc|wc> <namespace> <release>
-#     # Uninstalls a release if it is installed
-#     - helm_uninstall <sc|wc> <namespace> <release>
-#
-#   - helmfile
-#     # Use helmfile with kubeconfig set
-#     - helmfile_do <sc|wc> <helmfile args...>
-#     # For selector args all will be prefixed with "-l"
-#     # List releases matching the selector
-#     - helmfile_list <sc|wc> <selectors...>
-#     # Apply releases matching the selector
-#     - helmfile_apply <sc|wc> <selectors...>
-#     # Check for changes on releases matching the selector
-#     - helmfile_change <sc|wc> <selectors...>
-#     # Destroy releases matching the selector
-#     - helmfile_destroy <sc|wc> <selectors...>
-#     # Replaces the releases matching the selector, performing destroy and apply on each release individually
-#     - helmfile_replace <sc|wc> <selectors...>
-#     # Upgrades the releases matching the selector, performing automatic rollback on failure set "CK8S_ROLLBACK=false" to disable
-#     - helmfile_upgrade <sc|wc> <selectors...>
-
 run() {
   case "${1:-}" in
   execute)