DEV Community

Cover image for Falco With Kubernetes
Omar Ahmed
Omar Ahmed

Posted on

Falco With Kubernetes

#kubernetes #falco #devops #devsecops

Falco Basics

Falco is an open-source, cloud-native runtime security project designed to detect unexpected application behavior and alert on threats in real time.
By default, Falco has 5 outputs for its events: stdout, file, gRPC, shell and http.
These can be integrated with other components using falcosidekick, a daemon that extends that number of possible outputs.

Key Points about Falco:

  • Runtime Security: It continuously monitors your applications, containers, and hosts at runtime to detect abnormal activities.
  • Container Visibility: It provides complete visibility into containerized environments using a single lightweight sensor.
  • Rules-Based Detection: Falco uses a rich set of rules to define what is considered abnormal. When these rules are violated, alerts are triggered.

Examples of what Falco can detect by default:

  • A shell being run inside a container (which could indicate a breach).
  • A server process spawning an unexpected type of child process.
  • An attempt to read sensitive files, like /etc/shadow.

Falco Installation 

kubectl create namespace falco

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

helm install falco falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
-n falco

# falco → release name
# falcosecurity/falco → chart
# -n falco --create-namespace → installs Falco in a separate falco namespace

# check that the Falco pods are running:
kubectl get pods -n falco
Enter fullscreen mode Exit fullscreen mode

Test Using Falco UI 

kubectl run nginx --image=nginx -n falco --restart=Never -- sleep infinity
kubectl exec -it nginx -n falco -- bash 
# user: admin , password: admin
kubectl port-forward --address=0.0.0.0 svc/falco-falcosidekick-ui 3000:2802
# go to events tab
Enter fullscreen mode Exit fullscreen mode

Falco Slack Notifications

Follow these steps to create and test a Slack Incoming Webhook for Falco alerts:

Channels => Create => Create Channel => Channel Name => Falco
Enter fullscreen mode Exit fullscreen mode

  1. Create an App

    • Click Create New App
    • Go to Slack API Apps
    • Choose From Scratch
    • Enter App Name: Falco Slack App
    • Pick a workspace to develop your app: Test
    • Click Create App

  2. Enable Incoming Webhooks

    • From the left sidebar → click Incoming Webhooks
    • Switch Activate Incoming Webhooks → ON

  3. Add a Webhook to Workspace

    • Scroll down and click Add New Webhook to Workspace
    • Select a channel: #falco
    • Click Allow

  4. Copy and Test the Sample Curl URL Request

    • Run the sample Curl URL request in your terminal:

      curl -X POST -H 'Content-type: application/json' \
--data '{"text":"Hello, World!"}' \
https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

  5. Open your Slack #falco channel,You should see: Hello, World!

  6. Copy the Webhook URL Provided and use it below:

helm upgrade falco falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--set falcosidekick.config.slack.webhookurl="https://hooks.slack.com/services/XXXX" \
--set falcosidekick.config.customfields="environment:production\,datacenter:egypt" \
-n falco 

# check the revision number
helm ls -n falco

# attach a terminal in a container 
kubectl run nginx --image=nginx -n falco --restart=Never -- sleep infinity
kubectl exec -it nginx -n falco -- bash
Enter fullscreen mode Exit fullscreen mode

Top comments (0)