Deploying Falco to Kubernetes

Glen Tomkowiak
Oct 26 · 1 min read

A secure Kubernetes deployment benefits from Kubernetes specific security tools. One high quality open source tool is Falco. Falco is an intrusion detection system that reports suspicious Kubernetes events that a security admin might want to know about. This is an IDS, so it can be chatty. I found that it will report lots of less than useful system call event drops. You can easily opt to log and not notify you about these events, which is what I am choosing to do for now.

Here is a quick guide to deploying Falco on Kubernetes

This app will run as a daemon set and require about 1 GB of memory per node.

I am assuming you already have a functional Kubernetes cluster with Helm.

Step 1: Create an AWS SNS topic and setup an email to send events to

Step 2: Create a specific IAM account to publish to this topic

Step 3: Deploy Falco with Helm. Most popular installations e.g. KOPS or Kubespray on EC2-Linux or Ubuntu will automatically install without issues. Some less popular installations might require you to install a kernel module.

Be sure to replace FULL_ARN_FOR_CLOUD_WATCH_TOPIC, YOUR_AWS_REGION, YOUR_SNS_SERVICE_ACCOUNT_ACCESS_KEY, and YOUR_SNS_SERVICE_ACCOUNT_SECRET_KEY with your settings in the command listed below.

helm install --set falco.syscallEventDrops.actions={log}\
--set integrations.snsOutput.enabled=true\
--set integrations.snsOutput.topic=FULL_ARN_FOR_CLOUD_WATCH_TOPIC
--set integrations.snsOutput.aws_default_region=YOUR_AWS_REGION\
--set\
integrations.snsOutput.aws_access_key_id=YOUR_SNS_SERVICE_ACCOUNT_ACCESS_KEY --set\
integrations.snsOutput.aws_secret_access_key=YOUR_SNS_SERVICE_ACCOUNT_SECRET_KEY\
stable/falco

More information can be found on Github: https://github.com/falcosecurity/falco

Glen Tomkowiak

Written by

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade