Check CNCF Green Reviews Cluster and Setup Requirements for Falco

[incertum]

See https://github.com/falcosecurity/cncf-green-review-testing?tab=readme-ov-file#summary-cncf-green-reviews-cluster-requirements

Knode	Falco Driver	Namespace	Node Selector
knode A	modern-ebpf	falco	cncf-project: "falco"
			cncf-project-sub: "falco-driver-modern-ebpf"
knode B	ebpf	falco	cncf-project: "falco"
			cncf-project-sub: "falco-driver-ebpf"
knode C	kmod	falco	cncf-project: "falco"
			cncf-project-sub: "falco-driver-kmod"

Knode	Kernel Version Requirement	Additional Requirements	BPF Stats Enabled
knode A	>= 5.8	eBPF supported	1
knode B	>= 4.14	eBPF supported, kernel headers installed	1
knode C	>= 2.6.32	DKMS package and kernel headers installed	N/A

Notes:

• The Falco Deployment enables kernel.bpf_stats_enabled by default.
• For both ebpf and kmod, additional host mounts are required, such as /usr/src/kernels/ and /lib/modules. Please refer to the respective daemonset configuration for more details.
• We anticipate containerd to be the container runtime socket located at /run/k3s/containerd/containerd.sock.

Clarify each item with the CNCF Green Reviews Working Group, especially the nodeSelector.

CC @nikimanoledaki

[poiana]

There is not a label identifying the kind of this issue.
Please specify it either using /kind <group> or manually from the side menu.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rossf7]

@incertum Thanks for writing this up and I agree this is where we need to align.

For both bpf and kmod, additional host mounts are required, such as /usr/src/kernels/ and /lib/modules. Please refer to the respective daemonset configuration for more details.

k3s comes with a local-path-provisioner that supports hostPath. So you should be able to add these mounts. If that doesn't work we can investigate alternatives.

We anticipate containerd to be the container runtime socket located at /run/containerd/containerd.sock.

Yes, the knodes will all have containerd (default for k3s)

cncf-project: "falco"
cncf-project-sub: "falco-driver-modern-ebpf"

I like the project label and the sub label adds flexibility. We might need more labels later but this is a great starting point IMO.

For the kernel version requirements Equinix Metal has a pretty wide selection of supported OSes

We're using ubuntu 22.04 but we can easily specify an alternative OS in the tofu automation. Does that provide you enough control for the kernel version?

 k get no wg-green-reviews-worker-a-fhnpf -o wide
NAME                              STATUS   ROLES    AGE   VERSION   INTERNAL-IP    EXTERNAL-IP     OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
wg-green-reviews-worker-a-fhnpf   Ready    <none>   79d   v1.28.2   10.78.49.131   147.28.134.57   Ubuntu 22.04.3 LTS   5.15.0-84-generic   containerd://1.6.24

Lastly I have a concern on how much Equinix resources we will need. Can we start with knode A with modern-bpf while we develop the pipeline?

We can then add more knodes but I think we should consider provisioning knodes on demand for the duration of the test. So we consume less resources and the approach is more scalable as we onboard more projects.

@nikimanoledaki @AntonioDiTuri Please also chime in with your thoughts on this.

[incertum]

Can we start with knode A with modern-bpf while we develop the pipeline?

We would love this approach, also easier for us.

[By the way I forgot to add "Kernel headers installed" as requirement for the other drivers. We will update our docs shortly. And I noticed still some minor naming hiccups it should now be consistently modern-ebpf, my bad]

ubuntu 22.04

Perfect works for us!

Yes, the knodes will all have containerd (default for k3s)

@rossf7 mind double-checking the exact path of the socket? Would appreciate it a lot, is it (1) /run/containerd/containerd.sock or (2) /run/k3s/containerd/containerd.sock? Thanks in advance!

I like the project label and the sub label adds flexibility. We might need more labels later but this is a great starting point IMO.

Great, yes I think we can very easily change or add new labels!

[rossf7]

@incertum That's great, thank you.

The socket path is /run/k3s/containerd/containerd.sock

[incertum]

Thanks! I'll update the docs once we tag the next release containers and state /run/k3s/containerd/containerd.sock instead.

[nikimanoledaki]

What is left for this issue? :)

[incertum]

Now that I have access to the falco pods, plz allow me to check a few things.

In addition, do we want to mark this as complete and open a new issue once we tackle the other 2 drivers Falco has? Ok for us.

[incertum]

Had a chance to inspect a few things, LGTM. We can refer to this issue in the future when we test the remaining 2 drivers.