deployments/security-monitoring/falco-app.yaml

@@ -0,0 +1,68 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: falco
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://falcosecurity.github.io/charts
+    chart: falco
+    targetRevision: 3.9.0
+    helm:
+      releaseName: falco
+      values: |
+        ## Falco configuration
+        falco:
+          config:
+            ## Log output
+            json_output: true
+            json_include_output_property: true
+            ## Log stdout + webhook for Wazuh integration
+            programs_output:
+              - enabled: true
+                keep_alive: false
+                executor: /etc/falco/webhook.sh
+            file_output:
+              - enabled: true
+                keep_alive: false
+                filename: /var/log/falco/falco.log
+            syscall_event_drops:
+              enable_outputs: true
+              max_percentage_lost: 20.0
+              rate: 10
+            base_syscalls:
+              enable_outputs: false
+            buffers_pmem: false
+            syscall_buffer_num_pages: 256
+
+          ## Falco host mount
+          hostNetwork: true
+          hostPID: true
+          tolerations:
+            - key: node-role.kubernetes.io/control-plane
+              operator: Exists
+              effect: NoSchedule
+            - key: node-role.kubernetes.io/master
+              operator: Exists
+              effect: NoSchedule
+          resources:
+            requests:
+              cpu: "200m"
+              memory: "256Mi"
+            limits:
+              cpu: "1"
+              memory: "512Mi"
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: falco
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true