elastisys · rarescosma · Dec 19, 2025 · Dec 10, 2025 · Dec 1, 2025 · Dec 5, 2025
@@ -501,7 +501,9 @@ allow_subnet() {
 
   # Allowing the subnet is currently only supported for clusters setup with
   # CAPI on OpenStack. Fallback on allowing individual nodes otherwise.
-  if [ "$(yq_read "${cluster}" '.global.ck8sK8sInstaller' "")" != "capi" ] || [ "$(yq_read "${cluster}" '.global.ck8sCloudProvider' "")" != "openstack" ]; then
+  if [ "$(yq_read "${cluster}" '.global.ck8sK8sInstaller' "")" != "capi" ] ||
+    { [ "$(yq_read "${cluster}" '.global.ck8sCloudProvider' "")" != "openstack" ] &&
+      [ "$(yq_read "${cluster}" '.global.ck8sCloudProvider' "")" != "elastx" ]; }; then
     allow_nodes "${cluster}" "${config_option}" "${label}"
     return
   fi

@@ -111,3 +111,21 @@ Released 2025-11-20
 ### Other(s)
 
 - [#2858](https://github.com/elastisys/compliantkubernetes-apps/pull/2858) - bug: apps wc: move user alertmanager secret to created with install hook [@viktor-f](https://github.com/viktor-f)
+
+## v0.49.2
+
+Released 2025-12-17
+
+## Changes by kind
+
+### Improvement(s)
+
+- [#2885](https://github.com/elastisys/compliantkubernetes-apps/pull/2885) - chore: bump rclone to v1.72.0 [@rarescosma](https://github.com/rarescosma)
+- [#2888](https://github.com/elastisys/compliantkubernetes-apps/pull/2888) - apps: remove denial logging from node-local-dns, due to spamming [@viktor-f](https://github.com/viktor-f)
+- [#2892](https://github.com/elastisys/compliantkubernetes-apps/pull/2892) - OpenSearch top_queries index improvements [@lunkan93](https://github.com/lunkan93)
+
+### Other(s)
+
+- [#2884](https://github.com/elastisys/compliantkubernetes-apps/pull/2884) - bug: apps: fix velero snapshots [@Eliastisys](https://github.com/Eliastisys)
+- [#2895](https://github.com/elastisys/compliantkubernetes-apps/pull/2895) - bug: fixes for upcoming patch release [@rarescosma](https://github.com/rarescosma)
+- [#2913](https://github.com/elastisys/compliantkubernetes-apps/pull/2913) - fix: copy falco driver migration to v0.50 [@rarescosma](https://github.com/rarescosma)
diff --git a/config/common-config.yaml b/config/common-config.yaml
@@ -182,7 +182,7 @@ falco:
   ## configure syscall source
   ## ref: https://falco.org/docs/concepts/event-sources/kernel/
   driver:
-    kind: kmod
+    kind: modern_ebpf
 
     ebpf:
       # -- Path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init

diff --git a/config/schemas/config.yaml b/config/schemas/config.yaml
@@ -3221,11 +3221,11 @@ properties:
             default: kmod
             enum:
               - kmod
-              - modern-bpf
+              - modern_ebpf
               - ebpf
             meta:enum:
               kmod: Kernel module (default)
-              modern-bpf: Modern eBPF probe
+              modern_ebpf: Modern eBPF probe
               ebpf: Legacy eBPF probe
         if:
           properties:
@@ -3251,7 +3251,7 @@ properties:
             kind:
               type: string
               enum:
-                - modern-bpf
+                - modern_ebpf
                 - ebpf
             ebpf:
               additionalProperties: false

@@ -21,6 +21,7 @@ spec:
     volumes:
       - configMap
       - downwardAPI
+      - hostPath
       - emptyDir
       - persistentVolumeClaim
       - projected

@@ -108,7 +108,7 @@ data:
       {{- . | nindent 6 }}
       {{- end }}
       log . {combined} {
-        class denial error
+        class error
       }
       cache 30
       reload

@@ -66,7 +66,7 @@ spec:
         summary: Index {{`{{ $labels.index }}`}} is using {{`{{ $value }}`}} percent of max field limit
         runbook_url: {{ .Values.runbookUrls.opensearch.OpenSearchFieldLimit }}
     - alert: OpenSearchFieldLimit
-      expr: (sum(max_over_time(elasticsearch_indices_mappings_stats_fields{namespace="opensearch-system"}[5m])) by (index) / sum(max_over_time(elasticsearch_indices_settings_total_fields{namespace="opensearch-system"}[5m])) by (index)) * 100 > 95
+      expr: (sum(max_over_time(elasticsearch_indices_mappings_stats_fields{namespace="opensearch-system",index!~"top_queries.*"}[5m])) by (index) / sum(max_over_time(elasticsearch_indices_settings_total_fields{namespace="opensearch-system",index!~"top_queries.*"}[5m])) by (index)) * 100 > 95
       for: 15m
       labels:
         severity: critical

diff --git a/helmfile.d/lists/images.yaml b/helmfile.d/lists/images.yaml
@@ -80,7 +80,7 @@ images:
     curatorCronjob: ghcr.io/elastisys/bitnami/elasticsearch-curator:5.8.4-debian-10-r235
     exporter: quay.io/prometheuscommunity/elasticsearch-exporter:v1.7.0
   rclone:
-    image: ghcr.io/elastisys/rclone-sync:1.70.3
+    image: ghcr.io/elastisys/rclone-sync:1.72.0
   tekton:
     controller: ghcr.io/tektoncd/github.com/tektoncd/pipeline/cmd/controller:v0.45.0
     remoteResolvers: ghcr.io/tektoncd/github.com/tektoncd/pipeline/cmd/resolvers:v0.45.0

@@ -75,8 +75,8 @@ driver:
     {{- end }}
     hostNetwork: {{ .Values.falco.driver.ebpf.hostNetwork }}
     leastPrivileged: true
-  {{- else if eq .Values.falco.driver.kind "modern-bpf" }}
-  modern_bpf:
+  {{- else if eq .Values.falco.driver.kind "modern_ebpf" }}
+  modernEbpf:
     leastPrivileged: true
   {{- end }}
   loader:

@@ -33,3 +33,11 @@ policies:
       egress:
         - rule: egress-rule-dns
         - rule: egress-rule-apiserver
+
+    velero-data-mover:
+      podSelectorLabels:
+        velero.io/exposer-pod-group: snapshot-exposer
+      egress:
+        - rule: egress-rule-dns
+        - rule: egress-rule-apiserver
+        - rule: egress-rule-object-storage
@@ -9,6 +9,7 @@ constraints:
           - emptyDir
           - projected
           - secret
+          - configMap
         allowedHostPaths:
           - pathPrefix: /var/lib/kubelet/pods
             readOnly: false
@@ -25,16 +26,42 @@ constraints:
       allow:
         runAsUser:
           rule: MustRunAsNonRoot
+        volumes:
+          - hostPath
+          - emptyDir
+          - projected
+          - secret
+          - persistentVolumeClaim
+          - configMap
+          - downwardAPI
+        allowedHostPaths:
+          - pathPrefix: /var/lib/kubelet/pods
+            readOnly: false
+          - pathPrefix: /var/lib/kubelet/plugins
+            readOnly: false
       mutation:
-        runAsUser: 1000
+        runAsUser: 1002
     data-upload:
       podSelectorLabels:
         velero.io/exposer-pod-group: snapshot-exposer
       allow:
         runAsUser:
           rule: MustRunAsNonRoot
+        volumes:
+          - hostPath
+          - emptyDir
+          - projected
+          - secret
+          - persistentVolumeClaim
+          - configMap
+          - downwardAPI
+        allowedHostPaths:
+          - pathPrefix: /var/lib/kubelet/pods
+            readOnly: false
+          - pathPrefix: /var/lib/kubelet/plugins
+            readOnly: false
       mutation:
-        runAsUser: 1000
+        runAsUser: 1002
     repo-maintenance:
       podSelectorExpressions:
         - key: velero.io/repo-name

diff --git a/helmfile.d/values/velero/sc.yaml.gotmpl b/helmfile.d/values/velero/sc.yaml.gotmpl
@@ -134,6 +134,7 @@ schedules:
     template:
       storageLocation: default
       snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }}
+      snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }}
       labelSelector:
         matchLabels:
           velero: backup

diff --git a/helmfile.d/values/velero/wc.yaml.gotmpl b/helmfile.d/values/velero/wc.yaml.gotmpl
@@ -134,6 +134,7 @@ schedules:
     template:
       storageLocation: default
       snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }}
+      snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }}
       excludedNamespaces:
         {{- with .Values.velero.excludedNamespaces }}
         {{- toYaml . | nindent 8 }}

@@ -4,7 +4,7 @@ FROM ubuntu:rolling as download
 RUN apt-get update && apt-get install -y curl unzip
 
 # Install rclone
-ENV RCLONE_VERSION="v1.70.3"
+ENV RCLONE_VERSION="v1.72.0"
 RUN curl -O https://downloads.rclone.org/${RCLONE_VERSION}/rclone-${RCLONE_VERSION}-linux-amd64.zip && \
     unzip rclone-${RCLONE_VERSION}-linux-amd64.zip && \
     cd rclone-*-linux-amd64 && \

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+HERE="$(dirname "$(readlink -f "${0}")")"
+ROOT="$(readlink -f "${HERE}/../../../")"
+
+# shellcheck source=scripts/migration/lib.sh
+source "${ROOT}/scripts/migration/lib.sh"
+
+update_falco_driver() {
+  local -r cluster="${1}"
+  local current_driver
+  current_driver="$(yq_dig "${cluster}" '.falco.driver.kind')"
+
+  if [[ "${current_driver}" == "modern-bpf" ]] || [[ "${current_driver}" == "kmod" ]]; then
+    log_info "Updating falco driver from ${current_driver} to modern_ebpf in ${cluster}-config..."
+    yq_add "${cluster}" '.falco.driver.kind' '"modern_ebpf"'
+  fi
+}
+
+if [[ "${CK8S_CLUSTER}" =~ ^(sc|both)$ ]]; then
+  update_falco_driver sc
+fi
+if [[ "${CK8S_CLUSTER}" =~ ^(wc|both)$ ]]; then
+  update_falco_driver wc
+fi
+update_falco_driver common