falco-daemonset-configmap.yml

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: falco-daemonset
  namespace: security-system
  labels:
    app: falco
    role: security
spec:
  template:
    metadata:
      labels:
        app: falco-daemonset
        role: security
    spec:
      serviceAccount: falco-account
      containers:
        - name: filebeat
          image: docker.elastic.co/beats/filebeat:7.2.0
          args: ["/usr/share/filebeat/filebeat", "-e", "-c", "/etc/falcobeat/falcobeat.yml"]
          securityContext:
            runAsUser: 0
          volumeMounts:
            - mountPath: /etc/falcobeat
              name: falcobeat-config
            - mountPath: /var/lib/docker/containers
              name: varlibdockercontainers
              readOnly: true
            - mountPath: /var/log
              name: varlog
              readOnly: true
        - name: falco
          image: falcosecurity/falco:latest
          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
          securityContext:
            privileged: true
          volumeMounts:
            - mountPath: /host/var/run/docker.sock
              name: docker-socket
            - mountPath: /host/run/containerd/containerd.sock
              name: containerd-socket
            - mountPath: /host/dev
              name: dev-fs
            - mountPath: /host/proc
              name: proc-fs
              readOnly: true
            - mountPath: /host/boot
              name: boot-fs
              readOnly: true
            - mountPath: /host/lib/modules
              name: lib-modules
              readOnly: true
            - mountPath: /host/usr
              name: usr-fs
              readOnly: true
            - mountPath: /host/etc/
              name: etc-fs
              readOnly: true
            - mountPath: /etc/falco
              name: falco-config
            - mountPath: /etc/falcobeat
              name: falcobeat-config
      volumes:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
        - name: containerd-socket
          hostPath:
            path: /run/containerd/containerd.sock
        - name: dev-fs
          hostPath:
            path: /dev
        - name: proc-fs
          hostPath:
            path: /proc
        - name: boot-fs
          hostPath:
            path: /boot
        - name: lib-modules
          hostPath:
            path: /lib/modules
        - name: usr-fs
          hostPath:
            path: /usr
        - name: etc-fs
          hostPath:
            path: /etc
        - name: falco-config
          configMap:
            name: falco-config
        - name: falcobeat-config
          configMap:
            name: falcobeat-config
        - name: varlibdockercontainers
          hostPath:
            path: /var/lib/docker/containers
        - name: varlog
          hostPath:
            path: /var/log