Kubernetes に Falco を展開してアプリケーションの挙動をモニタリングする

enabling container security with Falco

makocchi
makocchi
Oct 16, 2018 · 13 min read
Image for post
Image for post

about Falco

deploy Falco to kubernetes cluster

$ git clone https://github.com/falcosecurity/falco
# 先程 clone した repository
$ cd falco/integrations/k8s-using-daemonset/
$ ls -F
falco-event-generator-deployment.yaml k8s-without-rbac/ k8s-with-rbac/ README.md

ServiceAccount and ClusterRoleBinding

$ kubectl apply -f falco-account.yaml
serviceaccount/falco-account created
clusterrole.rbac.authorization.k8s.io/falco-cluster-role created
clusterrolebinding.rbac.authorization.k8s.io/falco-cluster-role-binding created

ConfigMap

falco.yaml

# ConfigMap の内容を配置する directory を作成する(別にどこでもよい)
$ mkdir falco-config
# config の雛形を配置する
$ cp ../../../falco.yaml falco-config/.
# 編集する
$ vi falco-config/falco.yaml
# json での output を有効にする
json_output: true

# program_output で slack の webhook を設定する
program_output:
enabled: true
keep_alive: false
program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/foo/bar/baz"

各種 rule

$ cp ../../../rules/falco_rules.* falco-config/.
$ kubectl create configmap falco-config --from-file=falco-config/
configmap/falco-config created

DaemonSet

# updateStrategy の type を RollingUpdate にしておく
$ vi falco-daemonset-configmap.yaml
---
spec:
updateStrategy: # 追記
type: RollingUpdate # 追記
---
# DaemonSet 作成
$ kubectl apply -f falco-daemonset-configmap.yaml
daemonset.extensions/falco created
# Pod が正常に起動しているか確認しておく
$ kubectl get pods -l name=falco

Verify Falco behavior

# Falco の pod で bash を起動する
$ kubectl exec -ti falco-4xfp9 bash
root@falco-4xfp9:/#
# exit する
root@falco-4xfp9:/# exit
exit
# Falco の log を確認する
$ kubectl logs --tail 1 falco-4xfp9
{"output":"12:16:40.439277259: Notice A shell was spawned in a container with an attached terminal (user=root k8s.pod=falco-4xfp9 container=5fdb0a349c31 shell=bash parent=<NA> cmdline=bash terminal=34817)","priority":"Notice","rule":"Terminal shell in container","time":"2018-10-16T12:16:40.439277259Z", "output_fields": {"container.id":"5fdb0a349c31","evt.time":1539692200439277259,"k8s.pod.name":"falco-4xfp9","proc.cmdline":"bash ","proc.name":"bash","proc.pname":null,"proc.tty":34817,"user.name":"root"}}
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
and container_entrypoint
output: >
A shell was spawned in a container with an attached terminal (user=%user.name %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
priority: NOTICE
tags: [container, shell]

slack webhook

Image for post
Image for post
Image for post
Image for post
頑張った結果
program_output:
enabled: true
keep_alive: false
program: "jq '{username: \"falco\", icon_emoji: \":eagle:\", attachments: [{fallback: \"Falco Alert\", footer: .time, color: \"danger\", fields: [{title: \"Rule\", value: .rule, short: true}, {title: \"Priority\", value: .priority, short: true}, {title: \"Pod\", value: .output_fields[\"k8s.pod.name\"], short: \"true\"}, {title: \"Command\", value: .output_fields[\"proc.cmdline\"], short: \"true\"}, {title: \"Output\", value: .output, short: false}]}]}' | curl -s -d @- -X POST https://hooks.slack.com/services/foo/bar/baz"

tag による rule の絞り込み

# DaemonSet を更新する
$ kubectl edit daemonsets falco
---
spec:
containers:
- args:
- /usr/bin/falco
- -K
- /var/run/secrets/kubernetes.io/serviceaccount/token
- -k
- https://kubernetes.default
- -pk
- -T # 追記
- shell # 追記
---
# falco の args に -T shell を追加する
# 先程 updateStrategy を RollingUpdate にしていれば自動的に pod は再作成される
$ kubectl get pods -l name=falco
$ kubectl logs --tail 1 falco-6krnp
Tue Oct 16 12:42:37 2018: Disabling rules with tag: shell
$ kubectl logs --tail 1 falco-dbm9f
Tue Oct 16 12:59:41 2018: Enabling rules with tag: shell

How to update falco config

$ kubectl set env daemonset falco RELOAD_DATE="$(date)"

Host 側のセキュリティもチェックできる

# kubernetes の node 側で確認できる
$ lsmod | grep falco_probe
falco_probe 618496 4
Image for post
Image for post

まとめ

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store