falco: Add base plugin

[knrt10]

Add plugin for Falco.

TODO

• Find a way and fix to get all rules configured by Falco

How to test

# clone Headlamp
git clone git@github.com:kubernetes-sigs/headlamp.git

# Run headlamp backend
cd backend && go run ./cmd -dev -enable-dynamic-clusters -proxy-urls=https://artifacthub.io/\*

# Run frontend
cd frontend && npm i && npm start

# Run app
cd app && npm run dev-only-app

# Have a k8s cluster up and running. See the readme of this PR

# Fetch this PR and go to falco directory
cd falco && npm i && npm start

Screenshots

[gambtho]

consider restricting to clusterIP or adding a network policy? currently i think anyone can read all events/inject fake events

[illume]

Thanks for these changes.

It looks like this PR has git conflicts. Can you please fix them?

[Copilot]

Pull request overview

Adds a new Falco Headlamp plugin to this plugins repository, providing UI pages for viewing Falco security events, exploring loaded rules, and configuring event storage (file vs Redis).

Changes:

• Introduces Falco plugin navigation/routes plus Events, Rules, and Settings pages.
• Adds services/utilities for pod exec, event parsing/formatting, and rule discovery/parsing from Falco configs.
• Adds Redis helper manifests + Falco Helm values and documents setup; registers the plugin in the repo README.

Reviewed changes

Copilot reviewed 34 out of 36 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
falco/tsconfig.json	Plugin TypeScript config extending Headlamp plugin defaults.
falco/src/utils/storageUtils.ts	LocalStorage settings model + load/save helpers.
falco/src/utils/falcoRulesUtils.ts	YAML parsing + rules file discovery utilities.
falco/src/utils/falcoPodUtils.ts	Detect Falco file output path from Pod spec.
falco/src/utils/falcoEventUtils.ts	Event field extraction, formatting, and UI helpers.
falco/src/utils/constants.ts	Shared Falco namespace/label selector constants.
falco/src/types/FalcoRule.ts	Rule and rule-display types.
falco/src/types/FalcoEvent.ts	Falco event type definition.
falco/src/storybook.test.tsx	Storyshots test bootstrap.
falco/src/settings/index.tsx	Settings page export barrel.
falco/src/settings/Settings.tsx	Settings UI for selecting backend and Redis URL.
falco/src/services/podExecService.ts	Pod exec wrapper for reading files / command output.
falco/src/services/falcoRulesService.ts	Fetch pods/configs and aggregate rules from the cluster.
falco/src/rules/index.tsx	Rules page export barrel.
falco/src/rules/FalcoRules.tsx	Rules list page with loading/error handling.
falco/src/index.tsx	Plugin entry: icons, sidebar entries, and routes registration.
falco/src/headlamp-plugin.d.ts	Headlamp plugin type reference.
falco/src/events/index.tsx	Events page export barrel.
falco/src/events/FalcoEvents.tsx	Events viewer: file stream via exec + Redis polling backend.
falco/src/components/TagsCell.tsx	Colored tag rendering for event table.
falco/src/components/SeverityColumn.tsx	Colored severity pill renderer.
falco/src/components/RedisConnectionTester.tsx	Redis REST proxy ping/test UI.
falco/src/components/MessageCell.tsx	Clickable message cell with tooltip and keyboard support.
falco/src/components/LoadingIndicator.tsx	Shared loading + error UI component.
falco/src/components/K8sSourceCell.tsx	Attempts to link events to Kubernetes resources.
falco/src/components/EventDetailDialog.tsx	Event detail modal view.
falco/src/common/Table.tsx	Thin wrapper around Headlamp table component types/props.
falco/src/common/RulesTable.tsx	Rules table column definitions and table wrapper.
falco/redis/redis-server.yaml	Example Redis Deployment/Service for the Redis backend.
falco/redis/redis-rest-proxy.yaml	Example Redis REST proxy deployment (Flask) for browser access.
falco/package.json	Plugin package metadata and scripts (incl. redis setup script).
falco/falco-values.yaml	Example Helm values enabling Falco outputs/plugins.
falco/README.md	Plugin documentation and setup instructions.
falco/.gitignore	Plugin-local ignores (node_modules, dist, etc.).
README.md	Adds Falco plugin entry to the repository plugin list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[illume]

@copilot address open review comments

[Copilot]

Thanks for these changes.
...

Fixed the merge conflict in README.md in commit abc0b00. The falco entry is now properly placed alongside radius and volcano, with duplicated cert-manager/minikube entries removed.

@copilot address open review comments

All review comments addressed in individual atomic commits:

• a648abd — Return fresh copy of defaultSettings in loadSettings()
• 2f7a7a6 — Pass pendingSettings.redisUrl to RedisConnectionTester
• ef327fe — Reuse shared utilities from storageUtils and constants
• a2a9f1c — Cap file-stream events array at 300 to match Redis behavior
• 5ed48af — Replace deprecated onKeyPress with onKeyDown
• 8da1fde — Include default namespace in getNamespace extraction
• 9feb677 — Scope pod listing to FALCO_NAMESPACE
• 2f0f3ed — Preserve Unicode in cleanYamlText, only strip control characters
• 68157e2 — Handle both namespace and namespaces kind in K8sSourceCell
• cfff4b2 — Use @property instead of @param in FalcoEvent JSDoc
• 5e4496b — Pin Python dependencies in redis-rest-proxy

Also added:

• 11fa2ef — Unit tests for all utility functions (72 tests passing)
• aee829f — Storybook stories for SeverityColumn, TagsCell, MessageCell, LoadingIndicator, and EventDetailDialog

[Copilot]

Pull request overview

Copilot reviewed 46 out of 48 changed files in this pull request and generated 11 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[illume]

@copilot address open review comments

[Copilot]

Pull request overview

Copilot reviewed 46 out of 48 changed files in this pull request and generated 10 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[illume]

@copilot Address open review comments

[Copilot]

Pull request overview

Copilot reviewed 46 out of 48 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

README claims a "search and filter UI for namespaces, pods, containers" but the current Events view uses SectionFilterHeader with noNamespaceFilter and there are no explicit pod/container filters in the UI (only free-text search). Please adjust the wording to match the current UX to avoid confusing users.

Suggested change

	- Powerful search and filter UI for namespaces, pods, containers, and severity.
	- Free-text search across events, with severity-based filtering in the current UI.

[Copilot]

normalizeRedisUrl returns base + search + hash, but callers build endpoints by string-concatenating paths (e.g. ${normalized}/events). If the user enters a URL containing ?query or #hash, the resulting request URL becomes malformed (query/hash ends up before /events). Consider stripping search/hash in normalizeRedisUrl, or have callers use new URL('/events', normalizedUrlObject) so path joining is correct and predictable.

[Copilot]

Tests hardcode the localStorage key string in multiple places instead of using FALCO_SETTINGS_KEY. This makes the tests unnecessarily brittle if the key is ever renamed. Prefer importing and using the exported constant so production code and tests stay in sync.

[Copilot]

extractRulesFromYaml assigns desc: obj.desc || '', which can yield a non-string (e.g. number/object) and violates the FalcoRule.desc: string contract. Coerce to string (similar to name: String(obj.rule)) so the returned data is consistently typed.

[Copilot]

readFile always execs in pod.spec.containers[0] (fallback 'falco'). If the Falco chart adds sidecars/init containers (e.g. falcoctl), the first container may not be the one that has /etc/falco/* mounted, causing reads to fail. Prefer selecting the container named falco when present (fall back to the first only when not found).

[Copilot]

The file-stream backend execs tail in pod.spec.containers[0] (fallback 'falco'), but the Falco daemonset can include sidecars (e.g. falcoctl). If the first container isn't the Falco one (or doesn't have the file mount), the stream will fail. Consider selecting the container named falco when present (similar to detectFalcoFileOutputPath).

Suggested change

	const containerName = pod.spec?.containers?.[0]?.name || 'falco';
	const containers = pod.spec?.containers ?? [];
	const falcoContainer = containers.find(container => container?.name === 'falco');
	const containerName = falcoContainer?.name || containers[0]?.name || 'falco';

[Copilot]

The redis-rest-proxy container prints full received event payloads (Received raw data / Storing JSON) to stderr. Falco events can contain sensitive details (command lines, paths, usernames), so logging full payloads by default is a data exposure risk and can also bloat logs. Consider removing these prints or gating them behind an explicit debug env var.