update(falco): mount proc filesystem for plugins

The following PR in the libs falcosecurity/libs#1969
introduces a new platform for plugins that requires access to the
proc filesystem.

Signed-off-by: Aldo Lacuku <[email protected]>

Author: alacuku

charts/falco/CHANGELOG.md

@@ -12,6 +12,11 @@ numbering uses [semantic versioning](http://semver.org).
 * cleanup(falco): remove deprecated falco configuration
   This commit removes the "output" config key that has
   been deprecated in falco.
+* update(falco): mount proc filesystem for plugins
+  The following PR in libs https://github.com/falcosecurity/libs/pull/1969
+  introduces a new platform for plugins that requires access to the
+  proc filesystem.
+
 
 ## v4.8.3
 

charts/falco/README.md

@@ -759,7 +759,6 @@ The following table lists the main configurable parameters of the falco chart v4
 | metrics.service.ports.metrics.protocol | string | `"TCP"` | protocol specifies the network protocol that the Service should use for the associated port. |
 | metrics.service.ports.metrics.targetPort | int | `8765` | targetPort is the port on which the Pod is listening. |
 | metrics.service.type | string | `"ClusterIP"` | type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible from within the cluster. |
-| mounts.enforceProcMount | bool | `false` | By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). |
 | mounts.volumeMounts | list | `[]` | A list of volumes you want to add to the Falco pods. |
 | mounts.volumes | list | `[]` | A list of volumes you want to add to the Falco pods. |
 | nameOverride | string | `""` | Put here the new name if you want to override the release name used for Falco components. |

charts/falco/templates/pod-template.tpl

@@ -135,10 +135,8 @@ spec:
       {{- end }}
         - mountPath: /root/.falco
           name: root-falco-fs
-        {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
         - mountPath: /host/proc
           name: proc-fs
-        {{- end }}
         {{- if and .Values.driver.enabled (not .Values.driver.loader.enabled) }}
           readOnly: true
         - mountPath: /host/boot
@@ -289,11 +287,9 @@ spec:
     {{- end }}
     {{- end }}
     {{- end }}
-    {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
     - name: proc-fs
       hostPath:
         path: /proc
-    {{- end }}
     {{- if eq .Values.driver.kind "gvisor" }}
     - name: runsc-path
       hostPath:

charts/falco/values.yaml

@@ -267,8 +267,6 @@ mounts:
   volumes: []
   # -- A list of volumes you want to add to the Falco pods.
   volumeMounts: []
-  # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins).
-  enforceProcMount: false
 
 # Driver settings (scenario requirement)
 driver: