falco: Falco crashing on Kubernetes with connection timeout

What happened:

Falco crashing. ~Once every 15mins.

What you expected to happen:

Falco not crash and handle and prevent connection timeouts gracefully.

How to reproduce it (as minimally and precisely as possible):

helm install --name falco -f deployment/falco_config.yaml stable/falco
cat deployment/falco_config.yaml

ebpf:
  enabled: true
resources:
  requests:
    cpu: 50m
    memory: 128Mi
  limits:
    memory: 600Mi
image:
  tag: dev
falco:
  jsonOutput: true
fakeEventGenerator:
  enabled: false
customRules:
  rules-fluentd.yaml: |-
    - rule: Clear Log Activities
      append: true
      condition: and not k8s.ns.name=kube-system

Environment:

  • Falco version (use falco --version):
  • System info <!-- Falco has a built-in support command you can use “falco --support | jq .system_info” -->
  • Cloud provider or hardware configuration: Google (GKE)
  • OS (e.g: cat /etc/os-release): COS (build 11647.121.0)
  • Install tools (e.g. in kubernetes, rpm, deb, from source): Kubernetes 1.13.5-gke.10
  • Node type: g1-small

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (11 by maintainers)

Most upvoted comments

I can’t use 0.15.3 on COOS because it doesn’t contain the fix for https://github.com/falcosecurity/falco/issues/425#issuecomment-497986111

Dev apparently fixes the issue.

Output:

Mon Jul 1 09:35:58 2019: Runtime error: Socket handler (k8s_daemonset_handler_event) an error occurred while connecting to https://10.104.0.1: Connection timed out. Exiting.

+1
hus787 on Jul 1, 2019

@hus787 I think @fntlnz was referring to the output provided by falco --support | jq .system_info and falco --version in first instance 😃

+1
leodido on Jun 20, 2019
Read more comments on GitHub
← falco: Falco crash at startup when using ebpf driver
falco: falco failed to run in kind →