A simple daemon for connecting Falco to your ecossytem. It takes a Falco's events and
forward them to different outputs in a fan-out way.
It works as a single endpoint for as many as you want Falco instances :
Falcosidekick manages a large variety of outputs with different purposes.
- Datadog
- Influxdb
- StatsD (for monitoring of
falcosidekick) - DogStatsD (for monitoring of
falcosidekick) - Prometheus (for both events and monitoring of
falcosidekick) - Wavefront
- Spyderbat
- TimescaleDB
- Dynatrace
- Elasticsearch
- Loki
- AWS CloudWatchLogs
- Grafana (annotations)
- Syslog
- Zincsearch
- OpenObserve
- NATS
- STAN (NATS Streaming)
- AWS SQS
- AWS SNS
- AWS Kinesis
- GCP PubSub
- Apache Kafka
- Kafka Rest Proxy
- RabbitMQ
- Azure Event Hubs
- Yandex Data Streams
- MQTT
- Gotify
- SMTP
Prior to install the chart, add the falcosecurity charts repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo updateTo install the chart with the release name falcosidekick run:
helm install falcosidekick falcosecurity/falcosidekick --set webui.enabled=trueFalco, Falcosidekick and Falcosidekick-ui can be installed together in one command. All values to configure Falcosidekick will have to be
prefixed with falcosidekick..
helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=trueAfter a few seconds, Falcosidekick should be running.
Tip: List all releases using
helm list, a release is a name used to track a specific deployment
The minimum Kubernetes version required is 1.17.x
To uninstall the falcosidekick deployment:
helm uninstall falcosidekickThe command removes all the Kubernetes components associated with the chart and deletes the release.
The following table lists the main configurable parameters of the Falcosidekick chart and their default values. See values.yaml for full list.
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} |
Affinity for the Sidekick pods |
| config.alertmanager.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.alertmanager.customseveritymap | string | "" |
comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. |
| config.alertmanager.dropeventdefaultpriority | string | "critical" |
default priority of dropped events, values are emergency |
| config.alertmanager.dropeventthresholds | string | "10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning" |
comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: 10000:critical, 100:warning, 1:informational |
| config.alertmanager.endpoint | string | "/api/v1/alerts" |
alertmanager endpoint on which falcosidekick posts alerts, choice is: "/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts" |
| config.alertmanager.expireafter | string | "" |
if set to a non-zero value, alert expires after that time in seconds (default: 0) |
| config.alertmanager.extraannotations | string | "" |
comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2 |
| config.alertmanager.extralabels | string | "" |
comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2 |
| config.alertmanager.hostport | string | "" |
AlertManager http://host:port, if not empty, AlertManager is enabled |
| config.alertmanager.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.alertmanager.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.aws.accesskeyid | string | "" |
AWS Access Key Id (optionnal if you use EC2 Instance Profile) |
| config.aws.checkidentity | bool | true |
check the identity credentials, set to false for locale developments |
| config.aws.cloudwatchlogs.loggroup | string | "" |
AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is enabled |
| config.aws.cloudwatchlogs.logstream | string | "" |
AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream |
| config.aws.cloudwatchlogs.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.aws.externalid | string | "" |
External id for the role to assume (optional if you use EC2 Instance Profile) |
| config.aws.kinesis.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.aws.kinesis.streamname | string | "" |
AWS Kinesis Stream Name, if not empty, Kinesis output is enabled |
| config.aws.lambda.functionname | string | "" |
AWS Lambda Function Name, if not empty, AWS Lambda output is enabled |
| config.aws.lambda.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.aws.region | string | "" |
AWS Region (optionnal if you use EC2 Instance Profile) |
| config.aws.rolearn | string | "" |
AWS IAM role ARN for falcosidekick service account to associate with (optionnal if you use EC2 Instance Profile) |
| config.aws.s3.bucket | string | "" |
AWS S3, bucket name |
| config.aws.s3.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.aws.s3.prefix | string | "" |
AWS S3, name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
| config.aws.secretaccesskey | string | "" |
AWS Secret Access Key (optionnal if you use EC2 Instance Profile) |
| config.aws.securitylake.accountid | string | "" |
Account ID |
| config.aws.securitylake.batchsize | int | 1000 |
Max number of events by parquet file |
| config.aws.securitylake.bucket | string | "" |
Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled |
| config.aws.securitylake.interval | int | 5 |
Time in minutes between two puts to S3 (must be between 5 and 60min) |
| config.aws.securitylake.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.aws.securitylake.prefix | string | "" |
Prefix for keys |
| config.aws.securitylake.region | string | "" |
Bucket Region |
| config.aws.sns.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.aws.sns.rawjson | bool | false |
Send RawJSON from falco or parse it to AWS SNS |
| config.aws.sns.topicarn | string | "" |
AWS SNS TopicARN, if not empty, AWS SNS output is enabled |
| config.aws.sqs.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.aws.sqs.url | string | "" |
AWS SQS Queue URL, if not empty, AWS SQS output is enabled |
| config.azure.eventHub.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.azure.eventHub.name | string | "" |
Name of the Hub, if not empty, EventHub is enabled |
| config.azure.eventHub.namespace | string | "" |
Name of the space the Hub is in |
| config.azure.podIdentityClientID | string | "" |
Azure Identity Client ID |
| config.azure.podIdentityName | string | "" |
Azure Identity name |
| config.azure.resourceGroupName | string | "" |
Azure Resource Group name |
| config.azure.subscriptionID | string | "" |
Azure Subscription ID |
| config.bracketreplacer | string | "" |
if not empty, the brackets in keys of Output Fields are replaced |
| config.cliq.icon | string | "" |
Cliq icon (avatar) |
| config.cliq.messageformat | string | "" |
a Go template to format Google Chat Text above Attachment, displayed in addition to the output from cliq.outputformat. If empty, no Text is displayed before sections. |
| config.cliq.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.cliq.outputformat | string | "all" |
all (default), text (only text is displayed in Cliq), fields (only fields are displayed in Cliq) |
| config.cliq.useemoji | bool | true |
Prefix message text with an emoji |
| config.cliq.webhookurl | string | "" |
Zoho Cliq Channel URL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq Chat output is enabled |
| config.cloudevents.address | string | "" |
CloudEvents consumer http address, if not empty, CloudEvents output is enabled |
| config.cloudevents.extension | string | "" |
Extensions to add in the outbound Event, useful for routing |
| config.cloudevents.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.customfields | string | "" |
a list of escaped comma separated custom fields to add to falco events, syntax is "key:value,key:value" |
| config.datadog.apikey | string | "" |
Datadog API Key, if not empty, Datadog output is enabled |
| config.datadog.host | string | "" |
Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com" |
| config.datadog.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.debug | bool | false |
DEBUG environment variable |
| config.discord.icon | string | "" |
Discord icon (avatar) |
| config.discord.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.discord.webhookurl | string | "" |
Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is enabled |
| config.dogstatsd.forwarder | string | "" |
The address for the DogStatsD forwarder, in the form http://host:port, if not empty DogStatsD is enabled |
| config.dogstatsd.namespace | string | "falcosidekick." |
A prefix for all metrics |
| config.dogstatsd.tags | string | "" |
A comma-separated list of tags to add to all metrics |
| config.elasticsearch.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.elasticsearch.customheaders | string | "" |
a list of comma separated custom headers to add, syntax is "key:value,key:value" |
| config.elasticsearch.hostport | string | "" |
Elasticsearch http://host:port, if not empty, Elasticsearch is enabled |
| config.elasticsearch.index | string | "falco" |
Elasticsearch index |
| config.elasticsearch.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.elasticsearch.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.elasticsearch.password | string | "" |
use this password to authenticate to Elasticsearch if the password is not empty |
| config.elasticsearch.suffix | string | "daily" |
|
| config.elasticsearch.type | string | "_doc" |
Elasticsearch document type |
| config.elasticsearch.username | string | "" |
use this username to authenticate to Elasticsearch if the username is not empty |
| config.existingSecret | string | "" |
Existing secret with configuration |
| config.extraEnv | list | [] |
Extra environment variables |
| config.fission.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.fission.function | string | "" |
Name of Fission function, if not empty, Fission is enabled |
| config.fission.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.fission.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.fission.routernamespace | string | "fission" |
Namespace of Fission Router, "fission" (default) |
| config.fission.routerport | int | 80 |
Port of service of Fission Router |
| config.fission.routerservice | string | "router" |
Service of Fission Router, "router" (default) |
| config.gcp.cloudfunctions.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.gcp.cloudfunctions.name | string | "" |
The name of the Cloud Function which is in form projects/<project_id>/locations/<region>/functions/<function_name> |
| config.gcp.cloudrun.endpoint | string | "" |
the URL of the Cloud Run function |
| config.gcp.cloudrun.jwt | string | "" |
JWT for the private access to Cloud Run function |
| config.gcp.cloudrun.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.gcp.credentials | string | "" |
Base64 encoded JSON key file for the GCP service account |
| config.gcp.pubsub.customattributes | string | "" |
a list of comma separated custom headers to add, syntax is "key:value,key:value" |
| config.gcp.pubsub.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.gcp.pubsub.projectid | string | "" |
The GCP Project ID containing the Pub/Sub Topic |
| config.gcp.pubsub.topic | string | "" |
Name of the Pub/Sub topic |
| config.gcp.storage.bucket | string | "" |
The name of the bucket |
| config.gcp.storage.minimumpriority | string | "debug" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.gcp.storage.prefix | string | "" |
Name of prefix, keys will have format: gs:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
| config.googlechat.messageformat | string | "" |
a Go template to format Google Chat Text above Attachment, displayed in addition to the output from config.googlechat.outputformat. If empty, no Text is displayed before Attachment |
| config.googlechat.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.googlechat.outputformat | string | "all" |
all (default), text (only text is displayed in Google chat) |
| config.googlechat.webhookurl | string | "" |
Google Chat Webhook URL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is enabled |
| config.gotify.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.gotify.format | string | "markdown" |
Format of the messages (plaintext, markdown, json) |
| config.gotify.hostport | string | "" |
http://{domain or ip}:{port}, if not empty, Gotify output is enabled |
| config.gotify.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.gotify.token | string | "" |
API Token |
| config.grafana.allfieldsastags | bool | false |
if true, all custom fields are added as tags (default: false) |
| config.grafana.apikey | string | "" |
API Key to authenticate to Grafana, if not empty, Grafana output is enabled |
| config.grafana.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.grafana.customheaders | string | "" |
a list of comma separated custom headers to add, syntax is "key:value,key:value" |
| config.grafana.dashboardid | string | "" |
annotations are scoped to a specific dashboard. Optionnal. |
| config.grafana.hostport | string | "" |
http://{domain or ip}:{port}, if not empty, Grafana output is enabled |
| config.grafana.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.grafana.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.grafana.panelid | string | "" |
annotations are scoped to a specific panel. Optionnal. |
| config.grafanaoncall.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.grafanaoncall.customheaders | string | "" |
a list of comma separated custom headers to add, syntax is "key:value,key:value" |
| config.grafanaoncall.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.grafanaoncall.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.grafanaoncall.webhookurl | string | "" |
if not empty, Grafana OnCall output is enabled |
| config.influxdb.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.influxdb.database | string | "falco" |
Influxdb database |
| config.influxdb.hostport | string | "" |
Influxdb http://host:port, if not empty, Influxdb is enabled |
| config.influxdb.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.influxdb.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.influxdb.organization | string | "" |
Influxdb organization |
| config.influxdb.password | string | "" |
Password to use if auth is enabled in Influxdb |
| config.influxdb.precision | string | "ns" |
write precision |
| config.influxdb.token | string | "" |
API token to use if auth in enabled in Influxdb (disables user and password) |
| config.influxdb.user | string | "" |
User to use if auth is enabled in Influxdb |
| config.kafka.async | bool | false |
produce messages without blocking |
| config.kafka.balancer | string | "round_robin" |
partition balancing strategy when producing |
| config.kafka.clientid | string | "" |
specify a client.id when communicating with the broker for tracing |
| config.kafka.compression | string | "NONE" |
enable message compression using this algorithm, no compression (GZIP |
| config.kafka.hostport | string | "" |
comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled |
| config.kafka.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.kafka.password | string | "" |
use this password to authenticate to Kafka via SASL |
| config.kafka.requiredacks | string | "NONE" |
number of acknowledges from partition replicas required before receiving |
| config.kafka.sasl | string | "" |
SASL authentication mechanism, if empty, no authentication (PLAIN |
| config.kafka.tls | bool | false |
Use TLS for the connections |
| config.kafka.topic | string | "" |
Name of the topic, if not empty, Kafka output is enabled |
| config.kafka.topiccreation | bool | false |
auto create the topic if it doesn't exist |
| config.kafka.username | string | "" |
use this username to authenticate to Kafka via SASL |
| config.kafkarest.address | string | "" |
The full URL to the topic (example "http://kafkarest:8082/topics/test") |
| config.kafkarest.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.kafkarest.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.kafkarest.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.kafkarest.version | int | 2 |
Kafka Rest Proxy API version 2 |
| config.kubeless.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.kubeless.function | string | "" |
Name of Kubeless function, if not empty, EventHub is enabled |
| config.kubeless.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.kubeless.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.kubeless.namespace | string | "" |
Namespace of Kubeless function (mandatory) |
| config.kubeless.port | int | 8080 |
Port of service of Kubeless function. Default is 8080 |
| config.loki.apikey | string | "" |
API Key for Grafana Logs |
| config.loki.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.loki.customheaders | string | "" |
a list of comma separated custom headers to add, syntax is "key:value,key:value" |
| config.loki.endpoint | string | "/loki/api/v1/push" |
Loki endpoint URL path, more info: https://grafana.com/docs/loki/latest/api/#post-apiprompush |
| config.loki.extralabels | string | "" |
comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields |
| config.loki.hostport | string | "" |
Loki http://host:port, if not empty, Loki is enabled |
| config.loki.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.loki.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.loki.tenant | string | "" |
Loki tenant, if not empty, Loki tenant is enabled |
| config.loki.user | string | "" |
user for Grafana Logs |
| config.mattermost.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.mattermost.footer | string | "" |
Mattermost Footer |
| config.mattermost.icon | string | "" |
Mattermost icon (avatar) |
| config.mattermost.messageformat | string | "" |
a Go template to format Mattermost Text above Attachment, displayed in addition to the output from slack.outputformat. If empty, no Text is displayed before Attachment |
| config.mattermost.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.mattermost.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.mattermost.outputformat | string | "all" |
all (default), text (only text is displayed in Slack), fields (only fields are displayed in Mattermost) |
| config.mattermost.username | string | "" |
Mattermost username |
| config.mattermost.webhookurl | string | "" |
Mattermost Webhook URL (ex: https://XXXX/hooks/YYYY), if not empty, Mattermost output is enabled |
| config.mqtt.broker | string | "" |
Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is enabled |
| config.mqtt.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.mqtt.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.mqtt.password | string | "" |
Password if the authentication is enabled in the broker |
| config.mqtt.qos | int | 0 |
QOS for messages |
| config.mqtt.retained | bool | false |
If true, messages are retained |
| config.mqtt.topic | string | "falco/events" |
Topic for messages |
| config.mqtt.user | string | "" |
User if the authentication is enabled in the broker |
| config.mutualtlsclient.cacertfile | string | "" |
CA certification file for server certification for mutual TLS authentication, takes priority over mutualtlsfilespath if not empty |
| config.mutualtlsclient.certfile | string | "" |
client certification file for mutual TLS client certification, takes priority over mutualtlsfilespath if not empty |
| config.mutualtlsclient.keyfile | string | "" |
client key file for mutual TLS client certification, takes priority over mutualtlsfilespath if not empty |
| config.mutualtlsfilespath | string | "/etc/certs" |
folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs") |
| config.n8n.address | string | "" |
N8N address, if not empty, N8N output is enabled |
| config.n8n.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.n8n.headerauthname | string | "" |
Header Auth Key to authenticate with N8N |
| config.n8n.headerauthvalue | string | "" |
Header Auth Value to authenticate with N8N |
| config.n8n.minimumpriority | string | "" |
minimum priority of event for using this output, order is emergency |
| config.n8n.password | string | "" |
Password to authenticate with N8N in basic auth |
| config.n8n.user | string | "" |
Username to authenticate with N8N in basic auth |
| config.nats.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.nats.hostport | string | "" |
NATS "nats://host:port", if not empty, NATS is enabled |
| config.nats.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.nats.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.nodered.address | string | "" |
Node-RED address, if not empty, Node-RED output is enabled |
| config.nodered.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.nodered.customheaders | string | "" |
Custom headers to add in POST, useful for Authentication, syntax is "key:value,key:value" |
| config.nodered.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.nodered.password | string | "" |
Password if Basic Auth is enabled for 'http in' node in Node-RED |
| config.nodered.user | string | "" |
User if Basic Auth is enabled for 'http in' node in Node-RED |
| config.openfaas.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.openfaas.functionname | string | "" |
Name of OpenFaaS function, if not empty, OpenFaaS is enabled |
| config.openfaas.functionnamespace | string | "openfaas-fn" |
Namespace of OpenFaaS function, "openfaas-fn" (default) |
| config.openfaas.gatewaynamespace | string | "openfaas" |
Namespace of OpenFaaS Gateway, "openfaas" (default) |
| config.openfaas.gatewayport | int | 8080 |
Port of service of OpenFaaS Gateway Default is 8080 |
| config.openfaas.gatewayservice | string | "gateway" |
Service of OpenFaaS Gateway, "gateway" (default) |
| config.openfaas.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.openfaas.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.openobserve.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.openobserve.customheaders | string | "" |
a list of comma separated custom headers to add, syntax is "key:value,key:value" |
| config.openobserve.hostport | string | "" |
http://{domain or ip}:{port}, if not empty, OpenObserve output is enabled |
| config.openobserve.minimumpriority | string | "" |
minimum priority of event for using this output, order is emergency |
| config.openobserve.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.openobserve.organizationname | string | "default" |
Organization name |
| config.openobserve.password | string | "" |
use this password to authenticate to OpenObserve if the password is not empty |
| config.openobserve.streamname | string | "falco" |
Stream name |
| config.openobserve.username | string | "" |
use this username to authenticate to OpenObserve if the username is not empty |
| config.opsgenie.apikey | string | "" |
Opsgenie API Key, if not empty, Opsgenie output is enabled |
| config.opsgenie.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.opsgenie.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.opsgenie.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.opsgenie.region | us or eu |
"" |
region of your domain |
| config.pagerduty.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.pagerduty.region | string | "us" |
Pagerduty Region, can be 'us' or 'eu' |
| config.pagerduty.routingkey | string | "" |
Pagerduty Routing Key, if not empty, Pagerduty output is enabled |
| config.policyreport.enabled | bool | false |
if true; policyreport output is enabled |
| config.policyreport.kubeconfig | string | "~/.kube/config" |
Kubeconfig file to use (only if falcosidekick is running outside the cluster) |
| config.policyreport.maxevents | int | 1000 |
the max number of events that can be in a policyreport |
| config.policyreport.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.policyreport.prunebypriority | bool | false |
if true; the events with lowest severity are pruned first, in FIFO order |
| config.prometheus.extralabels | string | "" |
comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields |
| config.rabbitmq.minimumpriority | string | "debug" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.rabbitmq.queue | string | "" |
Rabbitmq Queue name |
| config.rabbitmq.url | string | "" |
Rabbitmq URL, if not empty, Rabbitmq output is enabled |
| config.redis.address | string | "" |
Redis address, if not empty, Redis output is enabled |
| config.redis.database | int | 0 |
Redis database number |
| config.redis.key | string | "falco" |
Redis storage key name for hashmap, list |
| config.redis.minimumpriority | string | "" |
minimum priority of event for using this output, order is emergency |
| config.redis.password | string | "" |
Password to authenticate with Redis |
| config.redis.storagetype | string | "list" |
Redis storage type: hashmap or list |
| config.rocketchat.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.rocketchat.icon | string | "" |
Rocketchat icon (avatar) |
| config.rocketchat.messageformat | string | "" |
a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from slack.outputformat. If empty, no Text is displayed before Attachment |
| config.rocketchat.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.rocketchat.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.rocketchat.outputformat | string | "all" |
all (default), text (only text is displayed in Rocketcaht), fields (only fields are displayed in Rocketchat) |
| config.rocketchat.username | string | "" |
Rocketchat username |
| config.rocketchat.webhookurl | string | "" |
Rocketchat Webhook URL (ex: https://XXXX/hooks/YYYY), if not empty, Rocketchat output is enabled |
| config.slack.channel | string | "" |
Slack channel (optionnal) |
| config.slack.footer | string | "" |
Slack Footer |
| config.slack.icon | string | "" |
Slack icon (avatar) |
| config.slack.messageformat | string | "" |
a Go template to format Slack Text above Attachment, displayed in addition to the output from slack.outputformat. If empty, no Text is displayed before Attachment |
| config.slack.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.slack.outputformat | string | "all" |
all (default), text (only text is displayed in Slack), fields (only fields are displayed in Slack) |
| config.slack.username | string | "" |
Slack username |
| config.slack.webhookurl | string | "" |
Slack Webhook URL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled |
| config.smtp.authmechanism | string | "plain" |
SASL Mechanisms : plain, oauthbearer, external, anonymous or "" (disable SASL) |
| config.smtp.from | string | "" |
Sender address (mandatory if SMTP output is enabled) |
| config.smtp.hostport | string | "" |
"host:port" address of SMTP server, if not empty, SMTP output is enabled |
| config.smtp.identity | string | "" |
identity string for Plain and External Mechanisms |
| config.smtp.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.smtp.outputformat | string | "html" |
html, text |
| config.smtp.password | string | "" |
password to access SMTP server |
| config.smtp.tls | bool | true |
use TLS connection (true/false) |
| config.smtp.to | string | "" |
comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled) |
| config.smtp.token | string | "" |
OAuthBearer token for OAuthBearer Mechanism |
| config.smtp.trace | string | "" |
trace string for Anonymous Mechanism |
| config.smtp.user | string | "" |
user to access SMTP server |
| config.spyderbat.apikey | string | "" |
Spyderbat API key with access to the organization |
| config.spyderbat.apiurl | string | "https://api.spyderbat.com" |
Spyderbat API url |
| config.spyderbat.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.spyderbat.orguid | string | "" |
Organization to send output to, if not empty, Spyderbat output is enabled |
| config.spyderbat.source | string | "falcosidekick" |
Spyderbat source ID, max 32 characters |
| config.spyderbat.sourcedescription | string | "" |
Spyderbat source description and display name if not empty, max 256 characters |
| config.stan.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.stan.clientid | string | "" |
Client ID, if not empty, STAN output is enabled |
| config.stan.clusterid | string | "" |
Cluster name, if not empty, STAN output is enabled |
| config.stan.hostport | string | "" |
Stan nats://{domain or ip}:{port}, if not empty, STAN output is enabled |
| config.stan.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.stan.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.statsd.forwarder | string | "" |
The address for the StatsD forwarder, in the form http://host:port, if not empty StatsD is enabled |
| config.statsd.namespace | string | "falcosidekick." |
A prefix for all metrics |
| config.syslog.format | string | "json" |
Syslog payload format. It can be either "json" or "cef" |
| config.syslog.host | string | "" |
Syslog Host, if not empty, Syslog output is enabled |
| config.syslog.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.syslog.port | string | "" |
Syslog endpoint port number |
| config.syslog.protocol | string | "tcp" |
Syslog transport protocol. It can be either "tcp" or "udp" |
| config.teams.activityimage | string | "" |
Teams section image |
| config.teams.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.teams.outputformat | string | "all" |
all (default), text (only text is displayed in Teams), facts (only facts are displayed in Teams) |
| config.teams.webhookurl | string | "" |
Teams Webhook URL (ex: https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY"), if not empty, Teams output is enabled |
| config.tekton.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.tekton.eventlistener | string | "" |
EventListener address, if not empty, Tekton output is enabled |
| config.tekton.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.telegram.chatid | string | "" |
telegram Identifier of the shared chat |
| config.telegram.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.telegram.minimumpriority | string | "" |
minimum priority of event for using this output, order is emergency |
| config.telegram.token | string | "" |
telegram bot authentication token |
| config.templatedfields | string | "" |
a list of escaped comma separated Go templated fields to add to falco events, syntax is "key:template,key:template" |
| config.timescaledb.database | string | "" |
TimescaleDB database used |
| config.timescaledb.host | string | "" |
TimescaleDB host, if not empty, TImescaleDB output is enabled |
| config.timescaledb.hypertablename | string | "falco_events" |
Hypertable to store data events (default: falco_events) See TimescaleDB setup for more info |
| config.timescaledb.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.timescaledb.password | string | "postgres" |
Password to authenticate with TimescaleDB |
| config.timescaledb.port | int | 5432 |
TimescaleDB port (default: 5432) |
| config.timescaledb.user | string | "postgres" |
Username to authenticate with TimescaleDB |
| config.tlsserver.cacertfile | string | "/etc/certs/server/ca.crt" |
CA certification file for client certification if mutualtls is true |
| config.tlsserver.certfile | string | "/etc/certs/server/server.crt" |
server certification file for TLS Server |
| config.tlsserver.deploy | bool | false |
if true TLS server will be deployed instead of HTTP |
| config.tlsserver.keyfile | string | "/etc/certs/server/server.key" |
server key file for TLS Server |
| config.tlsserver.mutualtls | bool | false |
if true mutual TLS server will be deployed instead of TLS, deploy also has to be true |
| config.tlsserver.notlspaths | string | "" |
a comma separated list of endpoints, if not empty, a separate http server will be deployed for the specified endpoints |
| config.tlsserver.notlsport | int | 2810 |
port to serve http server serving selected endpoints |
| config.wavefront.batchsize | int | 10000 |
Wavefront batch size. If empty uses the default 10000. Only used when endpointtype is 'direct' |
| config.wavefront.endpointhost | string | "" |
Wavefront endpoint address (only the host). If not empty, with endpointhost, Wavefront output is enabled |
| config.wavefront.endpointmetricport | int | 2878 |
Port to send metrics. Only used when endpointtype is 'proxy' |
| config.wavefront.endpointtoken | string | "" |
Wavefront token. Must be used only when endpointtype is 'direct' |
| config.wavefront.endpointtype | string | "" |
Wavefront endpoint type, must be 'direct' or 'proxy'. If not empty, with endpointhost, Wavefront output is enabled |
| config.wavefront.flushintervalseconds | int | 1 |
Wavefront flush interval in seconds. Defaults to 1 |
| config.wavefront.metricname | string | "falco.alert" |
Metric to be created in Wavefront. Defaults to falco.alert |
| config.wavefront.minimumpriority | string | "debug" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.webhook.address | string | "" |
Webhook address, if not empty, Webhook output is enabled |
| config.webhook.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.webhook.customHeaders | string | "" |
a list of comma separated custom headers to add, syntax is "key:value,key:value" |
| config.webhook.method | string | "POST" |
HTTP method: POST or PUT |
| config.webhook.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.webhook.mutualtls | bool | false |
if true, checkcert flag will be ignored (server cert will always be checked) |
| config.yandex.accesskeyid | string | "" |
yandex access key |
| config.yandex.datastreams.endpoint | string | "" |
yandex data streams endpoint (default: https://yds.serverless.yandexcloud.net) |
| config.yandex.datastreams.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.yandex.datastreams.streamname | string | "" |
stream name in format /${region}/${folder_id}/${ydb_id}/${stream_name} |
| config.yandex.region | string | "" |
yandex storage region (default: ru-central-1) |
| config.yandex.s3.bucket | string | "" |
Yandex storage, bucket name |
| config.yandex.s3.endpoint | string | "" |
yandex storage endpoint (default: https://storage.yandexcloud.net) |
| config.yandex.s3.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.yandex.s3.prefix | string | "" |
name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
| config.yandex.secretaccesskey | string | "" |
yandex secret access key |
| config.zincsearch.checkcert | bool | true |
check if ssl certificate of the output is valid |
| config.zincsearch.hostport | string | "" |
http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled |
| config.zincsearch.index | string | "falco" |
index |
| config.zincsearch.minimumpriority | string | "" |
minimum priority of event to use this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
| config.zincsearch.password | string | "" |
use this password to authenticate to ZincSearch |
| config.zincsearch.username | string | "" |
use this username to authenticate to ZincSearch |
| extraVolumeMounts | list | [] |
Extra volume mounts for sidekick deployment |
| extraVolumes | list | [] |
Extra volumes for sidekick deployment |
| fullnameOverride | string | "" |
Override the name |
| image.pullPolicy | string | "IfNotPresent" |
The image pull policy |
| image.registry | string | "docker.io" |
The image registry to pull from |
| image.repository | string | "falcosecurity/falcosidekick" |
The image repository to pull from |
| image.tag | string | "2.28.0" |
The image tag to pull |
| imagePullSecrets | list | [] |
Secrets for the registry |
| ingress.annotations | object | {} |
Ingress annotations |
| ingress.enabled | bool | false |
Whether to create the ingress |
| ingress.hosts | list | [{"host":"falcosidekick.local","paths":[{"path":"/"}]}] |
Ingress hosts |
| ingress.tls | list | [] |
Ingress TLS configuration |
| nameOverride | string | "" |
Override name |
| nodeSelector | object | {} |
Sidekick nodeSelector field |
| podAnnotations | object | {} |
additions annotations on the pods |
| podLabels | object | {} |
additions labels on the pods |
| podSecurityContext | object | {"fsGroup":1234,"runAsUser":1234} |
Sidekick pod securityContext |
| podSecurityPolicy | object | {"create":false} |
podSecurityPolicy |
| podSecurityPolicy.create | bool | false |
Whether to create a podSecurityPolicy |
| priorityClassName | string | "" |
Name of the priority class to be used by the Sidekickpods, priority class needs to be created beforehand |
| replicaCount | int | 2 |
number of running pods |
| resources | object | {} |
The resources for falcosdekick pods |
| securityContext | object | {} |
Sidekick container securityContext |
| service.annotations | object | {} |
Service annotations |
| service.port | int | 2801 |
Service port |
| service.type | string | "ClusterIP" |
Service type |
| testConnection.affinity | object | {} |
Affinity for the test connection pod |
| testConnection.nodeSelector | object | {} |
test connection nodeSelector field |
| testConnection.tolerations | list | [] |
Tolerations for pod assignment |
| tolerations | list | [] |
Tolerations for pod assignment |
| webui.affinity | object | {} |
Affinity for the Web UI pods |
| webui.allowcors | bool | false |
Allow CORS |
| webui.disableauth | bool | false |
Disable the basic auth |
| webui.enabled | bool | false |
enable Falcosidekick-UI |
| webui.existingSecret | string | "" |
Existing secret with configuration |
| webui.externalRedis.enabled | bool | false |
Enable or disable the usage of an external Redis. Is mutually exclusive with webui.redis.enabled. |
| webui.externalRedis.port | int | 6379 |
The port of the external Redis database with RediSearch > v2 |
| webui.externalRedis.url | string | "" |
The URL of the external Redis database with RediSearch > v2 |
| webui.image.pullPolicy | string | "IfNotPresent" |
The web UI image pull policy |
| webui.image.registry | string | "docker.io" |
The web UI image registry to pull from |
| webui.image.repository | string | "falcosecurity/falcosidekick-ui" |
The web UI image repository to pull from |
| webui.image.tag | string | "2.2.0" |
The web UI image tag to pull |
| webui.ingress.annotations | object | {} |
Web UI ingress annotations |
| webui.ingress.enabled | bool | false |
Whether to create the Web UI ingress |
| webui.ingress.hosts | list | [{"host":"falcosidekick-ui.local","paths":[{"path":"/"}]}] |
Web UI ingress hosts configuration |
| webui.ingress.tls | list | [] |
Web UI ingress TLS configuration |
| webui.loglevel | string | "info" |
Log level ("debug", "info", "warning", "error") |
| webui.nodeSelector | object | {} |
Web UI nodeSelector field |
| webui.podAnnotations | object | {} |
additions annotations on the pods web UI |
| webui.podLabels | object | {} |
additions labels on the pods web UI |
| webui.podSecurityContext | object | {"fsGroup":1234,"runAsUser":1234} |
Web UI pod securityContext |
| webui.priorityClassName | string | "" |
Name of the priority class to be used by the Web UI pods, priority class needs to be created beforehand |
| webui.redis.affinity | object | {} |
Affinity for the Web UI Redis pods |
| webui.redis.enabled | bool | true |
Is mutually exclusive with webui.externalRedis.enabled |
| webui.redis.existingSecret | string | "" |
Existing secret with configuration |
| webui.redis.image.pullPolicy | string | "IfNotPresent" |
The web UI image pull policy |
| webui.redis.image.registry | string | "docker.io" |
The web UI Redis image registry to pull from |
| webui.redis.image.repository | string | "redis/redis-stack" |
The web UI Redis image repository to pull from |
| webui.redis.image.tag | string | "6.2.6-v3" |
The web UI Redis image tag to pull from |
| webui.redis.nodeSelector | object | {} |
Web UI Redis nodeSelector field |
| webui.redis.password | string | "" |
Set a password for Redis |
| webui.redis.podAnnotations | object | {} |
additions annotations on the pods |
| webui.redis.podLabels | object | {} |
additions labels on the pods |
| webui.redis.podSecurityContext | object | {} |
Web UI Redis pod securityContext |
| webui.redis.priorityClassName | string | "" |
Name of the priority class to be used by the Web UI Redis pods, priority class needs to be created beforehand |
| webui.redis.resources | object | {} |
The resources for the redis pod |
| webui.redis.securityContext | object | {} |
Web UI Redis container securityContext |
| webui.redis.service.annotations | object | {} |
The web UI Redis service annotations (use this to set a internal LB, for example.) |
| webui.redis.service.port | int | 6379 |
The web UI Redis service port dor the falcosidekick-ui |
| webui.redis.service.targetPort | int | 6379 |
The web UI Redis service targetPort |
| webui.redis.service.type | string | "ClusterIP" |
The web UI Redis service type (i. e: LoadBalancer) |
| webui.redis.storageClass | string | "" |
Storage class of the PVC for the redis pod |
| webui.redis.storageEnabled | bool | true |
Enable the PVC for the redis pod |
| webui.redis.storageSize | string | "1Gi" |
Size of the PVC for the redis pod |
| webui.redis.tolerations | list | [] |
Tolerations for pod assignment |
| webui.replicaCount | int | 2 |
number of running pods |
| webui.resources | object | {} |
The resources for the web UI pods |
| webui.securityContext | object | {} |
Web UI container securityContext |
| webui.service.annotations | object | {} |
The web UI service annotations (use this to set a internal LB, for example.) |
| webui.service.nodePort | int | 30282 |
The web UI service nodePort |
| webui.service.port | int | 2802 |
The web UI service port dor the falcosidekick-ui |
| webui.service.targetPort | int | 2802 |
The web UI service targetPort |
| webui.service.type | string | "ClusterIP" |
The web UI service type |
| webui.tolerations | list | [] |
Tolerations for pod assignment |
| webui.ttl | int | 0 |
TTL for keys, the syntax in X, with : s, m, d, w (0 for no ttl) |
| webui.user | string | "admin:admin" |
User in format : |
Specify each parameter using the --set key=value[,key=value] argument to helm install.
Tip: You can use the default values.yaml
A prometheus endpoint can be scrapped at /metrics.