chore: update desc in falco.yaml

incertum · incertum · commit b2ece6ae7ba4 · 2024-08-26T16:56:12.000Z
Signed-off-by: Melissa Kilby &lt;melissa.kilby.oss@gmail.com&gt;
diff --git a/falco.yaml b/falco.yaml
@@ -1209,18 +1209,19 @@ falco_libs:
 # [Incubating] `container_engines`
 #
 # This option allows you to explicitly enable or disable API lookups against container 
-# runtime sockets for each supported container runtime, tracked internally as `container_engines`. 
-# Access to these sockets enables Falco to provide container and Kubernetes fields, which 
-# are crucial for identifying workload owners in modern containerized environments. 
+# runtime sockets for each supported container runtime. 
+# Access to these sockets enables Falco to retrieve container and Kubernetes fields, 
+# helping identify workload owners in modern containerized environments. 
 # Refer to the fields docs:
 # 
 # - [Kubernetes fields](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s)
 # - [Container fields](https://falco.org/docs/reference/rules/supported-fields/#container)
 # 
-# Additionally, Falco uses container events as a data source for alerting.
+# Additionally, Falco can use container events as a data source for alerting (evt.type = container).
 # 
-# For most container engines, you can enable or disable them, and Falco will search the 
-# default container runtime socket paths, such as `/var/run/docker.sock` for Docker. 
+# For most container engines, you can solely enable or disable them, and Falco will search the 
+# default (hard-coded) container runtime socket paths, such as `/var/run/docker.sock` for Docker.
+#
 # However, for Kubernetes settings, you can customize the CRI socket paths:
 # 
 # - `container_engines.cri.sockets`: Pass a list of container runtime sockets.

Original file line number	Diff line number	Diff line change
`@@ -1209,18 +1209,19 @@ falco_libs:`
`1209`	`1209`	# [Incubating] `container_engines`
`1210`	`1210`	`#`
`1211`	`1211`	`# This option allows you to explicitly enable or disable API lookups against container`
`1212`		-# runtime sockets for each supported container runtime, tracked internally as `container_engines`.
`1213`		`-# Access to these sockets enables Falco to provide container and Kubernetes fields, which`
`1214`		`-# are crucial for identifying workload owners in modern containerized environments.`
	`1212`	`+# runtime sockets for each supported container runtime.`
	`1213`	`+# Access to these sockets enables Falco to retrieve container and Kubernetes fields,`
	`1214`	`+# helping identify workload owners in modern containerized environments.`
`1215`	`1215`	`# Refer to the fields docs:`
`1216`	`1216`	`#`
`1217`	`1217`	`# - [Kubernetes fields](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s)`
`1218`	`1218`	`# - [Container fields](https://falco.org/docs/reference/rules/supported-fields/#container)`
`1219`	`1219`	`#`
`1220`		`-# Additionally, Falco uses container events as a data source for alerting.`
	`1220`	`+# Additionally, Falco can use container events as a data source for alerting (evt.type = container).`
`1221`	`1221`	`#`
`1222`		`-# For most container engines, you can enable or disable them, and Falco will search the`
`1223`		-# default container runtime socket paths, such as `/var/run/docker.sock` for Docker.
	`1222`	`+# For most container engines, you can solely enable or disable them, and Falco will search the`
	`1223`	+# default (hard-coded) container runtime socket paths, such as `/var/run/docker.sock` for Docker.
	`1224`	`+#`
`1224`	`1225`	`# However, for Kubernetes settings, you can customize the CRI socket paths:`
`1225`	`1226`	`#`
`1226`	`1227`	# - `container_engines.cri.sockets`: Pass a list of container runtime sockets.