fix(cncf-install): use Falco chart 8.0.1, disable falcoctl downloader

[bmvinay7]

Description

Rewrites fixes/cncf-install/install-falco.json so it actually installs Falco end to end, including on clusters with restricted egress (kind, k3d, air-gapped, corporate networks blocking github.io). The previous mission was unrunnable on any current chart and crash-looped pods on the most common kind setup.

Bugs in the previous mission

1. helm install ... --version 0.43.0 fails with chart not found

$ helm install falco falcosecurity/falco --namespace falco --create-namespace --version 0.43.0
Error: INSTALLATION FAILED: chart "falco" matching 0.43.0 not found in falcosecurity index ...

0.43.0 is the Falco app version. The Helm --version flag takes the chart version. Chart 8.0.1 maps to app v0.43.0:

$ helm search repo falcosecurity/falco --versions | head -5
NAME                CHART VERSION  APP VERSION
falcosecurity/falco 8.0.5          0.43.1
falcosecurity/falco 8.0.1          0.43.0
falcosecurity/falco 7.2.1          0.42.1

Same problem in the upgrade step (--version 0.44.0 is also an app version, not a chart version).

2. falcoctl-artifact-install init container crash-loops on restricted egress

By default the chart enables the falcoctl artifact downloader, which runs as the falcoctl-artifact-install init container and fetches https://falcosecurity.github.io/falcoctl/index.yaml at pod startup. On clusters with restricted or flaky egress the request hangs and the init container errors out:

{"level":"ERROR","msg":"unable to fetch index \"falcosecurity\" with URL \"https://falcosecurity.github.io/falcoctl/index.yaml\": ... dial tcp 185.199.108.153:443: i/o timeout"}

The pod stays in Init:CrashLoopBackOff. Falco ships its rules baked into the image, so the runtime fetch is optional. The upstream-documented fix (Rule basics for the Falco 3.0.0 Helm chart) is:

helm install falco \
  --set falcoctl.artifact.install.enabled=false \
  --set falcoctl.artifact.follow.enabled=false

This is upstream's documented "use the embedded ruleset" path and works on any cluster regardless of egress.

3. kubectl delete crd falcosecurity.org is a no-op

The previous uninstall step ran kubectl delete crd falcosecurity.org. Falco does not install any CRDs at that name (or any name). The chart cleans up its own resources on helm uninstall. Removed.

What this PR ships

Install (5 steps)

1. Add the falcosecurity Helm repository.
2. Install with chart 8.0.1 and both falcoctl artifact flags disabled so the embedded ruleset is used and the pod does not need github.io egress to start.
3. Wait for the DaemonSet rollout (kubectl rollout status daemonset/falco -n falco) instead of just listing pods.
4. Tail logs to confirm Falco initialized with configuration files and the BPF engine messages.
5. Trigger a sample event by reading /etc/shadow inside a busybox pod, which fires the built-in Sensitive file opened for reading by non-trusted program rule. Confirms BPF probe is attached and embedded rules are loaded.

Uninstall (3 steps)

helm uninstall -> namespace delete -> verify no Falco pods, CRDs, or RBAC remain.

Upgrade (3 steps)

Backup DaemonSet -> helm upgrade --version 8.0.1 --reuse-values (so the falcoctl flags persist across upgrades) -> verify rollout.

Troubleshooting (6 entries)

1. chart not found when passing the app version
2. falcoctl-artifact-install CrashLoopBackOff with the documented fix
3. Image-pull stalls on slow networks
4. Falco running but no events (sample syscall + log grep)
5. Falco pod OOMKilled (memory limit bump)
6. BPF probe fails to attach (kmod fallback)

Metadata fixes

• containerImages switched from a single placeholder ref to the three real images chart 8.0.1 actually pulls: docker.io/falcosecurity/falco:0.43.0, docker.io/falcosecurity/falco-driver-loader:0.43.0, docker.io/falcosecurity/falcoctl:0.12.2. Verified with docker manifest inspect.
• metadata.sourceUrls.helm added.
• Author/authorGithub switched to Vinay B M / bmvinay7 for the rewrite, matching precedent from PR Fix Thanos install mission and correct author attribution #2253 (Thanos), fix(platform-install): rewrite argocd-operator install mission to use upstream OLM path #2299 (argocd-operator), and the auto-merged 🐛 Fix platform-kyverno mission: namespace, chart version, labels, uninstall safety #2305 (Kyverno).

Validation

Local CI (mirror of every PR-blocking workflow)

== validate-schema ==
[PASS] validate-schema

== kb-quality-enforcement ==
Score: 100/100 ([PASS] OK)
Breakdown:
  - clarity: 100
  - completeness: 100
  - correctness: 100
  - structure: 100
  - observability: 100
[PASS] kb-quality-enforcement

== scan-missions ==
[PASS] scan-missions   (Schema clean, no sensitive data, no malicious content)

== mission-safety-scan ==
[PASS] mission-safety-scan   (all 14 grep rules clean)

== mission-content-validation (per-step) ==
[PASS] mission-content-validation (per-step)

== mission-content-validation (live URL + crane) ==
[PASS] mission-content-validation (live)
  https://falcosecurity.github.io/charts/index.yaml -> HTTP 200

== pr-verifier (conventional commit subject) ==
[PASS] pr-verifier

== copilot-dco (Signed-off-by trailer) ==
[PASS] copilot-dco

ALL LOCAL CI GATES PASSED. Safe to push.

End-to-end on kind

Cluster: kb-test (kind v0.31.0, Kubernetes 1.36.0).

# Reproduction of the falcoctl bug on the previous chart-version-correct path
$ helm install falco falcosecurity/falco --namespace falco --create-namespace --version 8.0.1
$ kubectl get pods -n falco
falco-c79rt   0/2   Init:CrashLoopBackOff   17 (2m9s ago)
$ kubectl logs -n falco falco-c79rt -c falcoctl-artifact-install --tail=5
{"level":"ERROR","msg":"unable to fetch index ... dial tcp 185.199.108.153:443: i/o timeout"}

# Apply the documented fix
$ helm upgrade falco falcosecurity/falco --namespace falco --version 8.0.1 \
    --set falcoctl.artifact.install.enabled=false \
    --set falcoctl.artifact.follow.enabled=false
Release "falco" has been upgraded.

$ kubectl rollout status daemonset/falco -n falco --timeout=300s
daemon set "falco" successfully rolled out

$ kubectl get pods -n falco -l app.kubernetes.io/name=falco
NAME          READY   STATUS    RESTARTS   AGE
falco-v4x2g   1/1     Running   0          81s

$ kubectl logs -n falco -l app.kubernetes.io/name=falco -c falco --tail=5
[libs]: Trying to open the right engine!
Falco initialized with configuration files
Starting health webserver with threadiness 1, listening on 0.0.0.0:8765

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• Documentation update

Checklist

• I have signed off my commits (git commit -s)
• I have updated documentation as needed
• I have added tests that prove my fix/feature works
• All new and existing tests pass

The "tests that prove my fix/feature works" box stays unticked because the repo has no unit-test framework for missions. The CI validators (schema, scan, quality, safety, content) ARE the tests; they're already covered by "All new and existing tests pass". The kind end-to-end run above is the practical equivalent.

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubestellar-hive]

LGTM — thorough fix for the Falco install mission.

[kubestellar-prow]

@kubestellar-hive[bot]: changing LGTM is restricted to collaborators

Details

In response to this:

LGTM — thorough fix for the Falco install mission.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.