falco: Add base plugin

This adds events, rule and settings page to the plugin. User can select
the backend for the events. Default backend is file/volumes. They can
easily configure redis as well and use that as backend.

Signed-off-by: Kautilya Tripathi <[email protected]>

Author: knrt10

README.md

@@ -15,6 +15,7 @@ This is a repository of official plugins that Headlamp uses or recommends.
 | [prometheus](./prometheus) | Provides a Prometheus-powered chart in the details views of workloads. | Needs Prometheus installed in the cluster for the chart to be shown. Shipped with Headlamp desktop and CI builds by default. | [@yolossn](https://github.com/yolossn) |
 | [cert-manager](./cert-manager) | A UI for viewing and managing cert-manager. | |[@yolossn](https://github.com/yolossn)|
 | [minikube](./minikube) | A UI for minikube, for running Kubernetes locally. | |[@illume](https://github.com/illume)|
+| [falco](./falco) | A UI for Falco, to view various security events in the cluster. | |[@knrt10](https://github.com/knrt10)|
 
 ## Development
 

falco/.gitignore

@@ -0,0 +1,3 @@
+node_modules
+.vscode
+dist

falco/README.md

@@ -0,0 +1,120 @@
+# Falco Headlamp Plugin
+
+A modern, Headlamp plugin for visualizing and managing [Falco](https://falco.org/) security events and rules in Kubernetes clusters.
+
+## Features
+
+- **Falco Events Viewer:**
+
+  - Real-time streaming and display of Falco security events from all cluster namespaces.
+  - Powerful search and filter UI for namespaces, pods, containers, and severity.
+  - Multiple backend options: file-based (default) or Redis for persistent storage.
+  - Fully type-safe event handling and clear, maintainable utility functions.
+
+- **Falco Rules Explorer:**
+
+  - Lists all Falco rules loaded in the cluster, with support for multiple pods and custom rule files.
+  - Search and filter by rule name, description, pod, or source file.
+
+- **Storage Backends:**
+
+  - **File-based** (default): Access events directly from Falco output files.
+  - **Redis**: Store events in Redis for persistence and centralized access via a Redis REST proxy.
+
+## Prerequisites
+
+Before you begin, ensure you have the following:
+
+- A running Kubernetes cluster (minikube, kind, or a production cluster)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed and configured
+- [Helm](https://helm.sh/docs/intro/install/) v3+ installed
+- [Node.js](https://nodejs.org/) and npm installed (for development)
+- [Headlamp](https://headlamp.dev/docs/latest/installation/) installed and access to your cluster
+
+## Setup
+
+### Basic Setup
+
+1. Clone this repository and install dependencies:
+
+   ```bash
+   npm install
+   ```
+
+2. Install Falco with file output enabled:
+
+   ```bash
+   helm install falco falcosecurity/falco \
+     --namespace falco \
+     --set falco.file_output.enabled=true \
+     --set falco.file_output.filename="/tmp/falco_events.json" \
+     --set falco.file_output.keep_alive=true \
+     --set falco.json_output=true \
+     --set driver.kind=modern_ebpf \
+     --set falco.tty=true
+   ```
+
+### Redis Backend Setup
+
+To use the Redis backend for persistent event storage:
+
+1. Deploy Redis and the REST proxy in your Kubernetes cluster:
+
+   ```bash
+   npm run setup-redis
+   ```
+
+   > **Important Note:** If you already have a Redis server but not the REST proxy, you must still deploy the Redis REST proxy component. This plugin communicates with Redis via HTTP and requires the proxy layer.
+   >
+   > **For Production Environments**: To connect to your existing Redis server, modify `redis/redis-rest-proxy.yaml` by changing line 46 in the Python code:
+   >
+   > ```python
+   > # Change this line:
+   > rclient = redis.Redis(host='redis-service', port=6379)
+   >
+   > # To point to your Redis server:
+   > rclient = redis.Redis(host='your-redis-hostname', port=6379, password='your-password-if-needed')
+   > ```
+   >
+   > You may also need to adjust security settings, resource limits, and consider adding persistence for production deployments.
+
+2. Install Falco with both file and Redis output enabled using our provided values file:
+
+   ```bash
+   # The falco-values.yaml file in the repo already contains the Redis configuration
+   helm install falco falcosecurity/falco \
+     --namespace falco \
+     --set falco.file_output.enabled=true \
+     --set falco.file_output.filename="/tmp/falco_events.json" \
+     --set falco.file_output.keep_alive=true \
+     --set falco.json_output=true \
+     --set driver.kind=modern_ebpf \
+     --values=falco-values.yaml \
+     --set falco.tty=true
+   ```
+
+3. In the plugin settings, switch to Redis backend and test the connection.
+
+## Development
+
+To develop or extend this plugin:
+
+1. Clone this repository and install dependencies (see `package.json`).
+2. Run Headlamp in plugin development mode.
+3. Edit TypeScript/TSX files in `src/` for UI or logic changes.
+4. All contributions must maintain or improve type safety and documentation.
+
+See the following resources for Headlamp plugin development:
+
+- [Headlamp Plugin Getting Started](https://headlamp.dev/docs/latest/development/plugins/)
+- [Headlamp API Reference](https://headlamp.dev/docs/latest/development/api/)
+- [UI Component Storybook](https://headlamp.dev/docs/latest/development/frontend/#storybook)
+- [Plugin Examples](https://github.com/headlamp-k8s/headlamp/tree/main/plugins/examples)
+
+## Contributing
+
+Contributions are welcome! Please ensure that:
+
+- All new code is type-safe and well-documented.
+- Comments describing utility functions are replaced with TypeScript type annotations and JSDoc comments.
+- No business logic or user experience is broken by refactors.

falco/falco-values.yaml

@@ -0,0 +1,88 @@
+# Enable Kubernetes audit log
+auditLog:
+  enabled: true
+
+# Enable the driver, and choose between the kernel module or the ebpf probe.
+# Default value: kernel module.
+driver:
+  enabled: true
+  kind: modern_ebpf
+
+# Enable the collectors used to enrich the events with metadata.
+# Check the values.yaml file for fine-grained options.
+collectors:
+  enabled: true
+
+# We set the controller to daemonset since we have the syscalls source enabled.
+# It will ensure that every node on our cluster will be monitored by Falco.
+# Please note that the api-server will use the "k8saudit-webhook" service to send
+# audit logs to the falco instances. That means that when we have multiple instances of Falco
+# we can not predict to which instance the audit logs will be sent. When testing please check all
+# the Falco instance to make sure that at least one of them have received the audit logs.
+controller:
+  kind: daemonset
+
+falcoctl:
+  artifact:
+    install:
+      # -- Enable the init container.
+      enabled: true
+    follow:
+      # -- Enable the sidecar container.
+      enabled: true
+  config:
+    artifact:
+      install:
+        # -- List of artifacts to be installed by the falcoctl init container.
+        refs: [falco-rules:3, k8saudit-rules:0.11, k8saudit:0.11]
+      follow:
+        # -- List of artifacts to be followed by the falcoctl sidecar container.
+        refs: [falco-rules:3, k8saudit-rules:0.11, k8saudit:0.11]
+
+services:
+  - name: k8saudit-webhook
+    type: NodePort
+    ports:
+      - port: 9765 # See plugin open_params
+        nodePort: 30007
+        protocol: TCP
+
+falco:
+  # Basic settings
+  json_output: true
+  tty: true
+  log_level: debug
+
+  # File output
+  file_output:
+    enabled: true
+    keep_alive: true
+    filename: /tmp/falco_events.json
+
+  # Direct program output to pipe events to Redis
+  program_output:
+    enabled: true
+    keep_alive: false
+    program: "curl -s -d @- -H 'Content-Type: application/json' http://redis-rest-proxy.falco.svc.cluster.local:8080/events"
+
+  # HTTP output to Redis proxy (keep as backup)
+  http_output:
+    enabled: true
+    url: 'http://redis-rest-proxy.falco.svc.cluster.local:8080/events'
+
+  rules_files:
+    - /etc/falco/falco_rules.yaml
+    - /etc/falco/k8s_audit_rules.yaml
+    - /etc/falco/rules.d
+  plugins:
+    - name: k8saudit
+      library_path: libk8saudit.so
+      init_config:
+        ''
+        # maxEventBytes: 1048576
+        # sslCertificate: /etc/falco/falco.pem
+      open_params: 'http://:9765/k8s-audit'
+    - name: json
+      library_path: libjson.so
+      init_config: ''
+  load_plugins: [k8saudit, json]