feat(agent): enable falcobaseline for agent version 12.9.x and above (#1561)

maratsal · web-flow · commit 7cf86a629150 · 2024-01-12T06:24:46.000-05:00
diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml
@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.19.0
+version: 1.19.1
diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl
@@ -411,6 +411,12 @@ agent config to prevent a backend push from enabling them after installation.
             "secure_audit_streams") }}
             {{- $_ := set $secureConfig $secureFeature (dict "enabled" false) }}
         {{- end }}
+    {{ else if include "agent.enableFalcoBaselineSecureLight" . }}
+        {{- range $secureFeature := (list
+            "memdump"
+            "network_topology") }}
+            {{- $_ := set $secureConfig $secureFeature (dict "enabled" false) }}
+        {{- end }}
     {{ else if $secureLightMode }}
         {{- range $secureFeature := (list
             "drift_control"
@@ -531,3 +537,11 @@ true
 {{- end }}
 {{- end }}
 {{- end }}
+
+{{- define "agent.enableFalcoBaselineSecureLight" }}
+{{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" .Values.image.tag }}
+{{- if semverCompare ">= 12.19.0-0" .Values.image.tag }}
+{{- printf "true" -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/agent/tests/drift_prevention_test.yaml b/charts/agent/tests/drift_prevention_test.yaml
@@ -25,20 +25,6 @@ tests:
               enabled: false
     template: templates/configmap.yaml
 
-  - it: Drift prevention must be false when is secure_light
-    set:
-      sysdig:
-        settings:
-          feature:
-            mode: secure_light
-    asserts:
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            drift_killer:
-              enabled: false
-    template: templates/configmap.yaml
-
   - it: Drift prevention must be false when is running on GKE Autopilot
     set:
       gke:
@@ -115,20 +101,6 @@ tests:
               enabled: false
     template: templates/configmap.yaml
 
-  - it: Drift control must be false when is secure_light
-    set:
-      sysdig:
-        settings:
-          feature:
-            mode: secure_light
-    asserts:
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            drift_control:
-              enabled: false
-    template: templates/configmap.yaml
-
   - it: Drift control must be false when is running on GKE Autopilot
     set:
       gke:
diff --git a/charts/agent/tests/secure_enable_test.yaml b/charts/agent/tests/secure_enable_test.yaml
@@ -42,21 +42,6 @@ tests:
           pattern: |-
             commandlines_capture:
               enabled: false
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            drift_control:
-              enabled: false
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            drift_killer:
-              enabled: false
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            falcobaseline:
-              enabled: false
       - matchRegex:
           path: data['dragent.yaml']
           pattern: |-
@@ -141,21 +126,6 @@ tests:
           pattern: |-
             statsd:
               enabled: false
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            drift_control:
-              enabled: false
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            drift_killer:
-              enabled: false
-      - matchRegex:
-          path: data['dragent.yaml']
-          pattern: |-
-            falcobaseline:
-              enabled: false
       - matchRegex:
           path: data['dragent.yaml']
           pattern: |-
diff --git a/charts/agent/tests/secure_light_config_test.yaml b/charts/agent/tests/secure_light_config_test.yaml
@@ -0,0 +1,198 @@
+suite: Testing seetings for secure light mode
+templates:
+  - configmap.yaml
+tests:
+  - it: Testing if certain settings set to false for agent version =< 12.18.x
+    set:
+      image:
+        tag: 12.18.1
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          feature:
+            mode: secure_light
+      secure:
+        enabled: true
+    asserts:
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_control:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_killer:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            falcobaseline:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            memdump:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            network_topology:
+              enabled: false
+    template: configmap.yaml
+
+  - it: Testing if certain settings set to false for agent version = 12.16.3
+    set:
+      image:
+        tag: 12.16.3
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          feature:
+            mode: secure_light
+      secure:
+        enabled: true
+    asserts:
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_control:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_killer:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            falcobaseline:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            memdump:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            network_topology:
+              enabled: false
+    template: configmap.yaml
+
+  - it: Testing if certain settings set to false for agent version latest
+    set:
+      image:
+        tag: latest
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          feature:
+            mode: secure_light
+      secure:
+        enabled: true
+    asserts:
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_control:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_killer:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            falcobaseline:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            memdump:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            network_topology:
+              enabled: false
+    template: configmap.yaml
+
+  - it: Testing if certain settings set to false for agent version > 12.18.x
+    set:
+      image:
+        tag: 12.19.0
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          feature:
+            mode: secure_light
+      secure:
+        enabled: true
+    asserts:
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_control:
+              enabled: false
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_killer:
+              enabled: false
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            falcobaseline:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            memdump:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            network_topology:
+              enabled: false
+    template: configmap.yaml
+
+  - it: Testing if certain settings set to false for agent version 12.20.1
+    set:
+      image:
+        tag: 12.20.1
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          feature:
+            mode: secure_light
+      secure:
+        enabled: true
+    asserts:
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_control:
+              enabled: false
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            drift_killer:
+              enabled: false
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            falcobaseline:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            memdump:
+              enabled: false
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            network_topology:
+              enabled: false
+    template: configmap.yaml
