Kubernetes Security With Falco
Comprehensive runtime security for your containers with a hands-on demo
Falco is an open source runtime security tool that can help you to secure a variety of environments. Sysdig created it and it has been a CNCF project since 2018. Falco reads real-time Linux kernel logs, container logs, Kubernetes logs, etc. against a powerful rules engine to alert users of malicious behaviour.
It is particularly useful for container security — especially if you are using Kubernetes to run them — and it is now the de facto Kubernetes threat detection engine. It ingests Kubernetes API audit logs for runtime threat detection and to understand application behaviour.
It also helps teams understand who did what in the cluster, as it can integrate with Webhooks to raise alerts in a ticketing system or a collaboration engine like Slack.
Falco works by using detection rules that define unexpected behaviour. Though it comes with its own useful default rules, you can extend them to define custom rules to harden your cluster further.
So, some things that Falco can detect are the following:
- Opening of a shell session from a container
- Host path volume mount
- Reading secret and sensitive files such as
- A new package installation in a running container
- A new process spawned from a container that is not a part of CMD
- Opening of a new port or unexpected network connection
- Creating a privileged container
- and much more…
All these features make it particularly useful to understand less about whether you have the appropriate security in place and more to ensure you know when there is a potential breach so that you can stop it before something terrible happens. Falco, therefore, complements the existing Kubernetes native security measures such as RBAC and Pod Security Policies that help in preventing issues rather than detecting them.
There are multiple ways of running Falco within a Kubernetes cluster. You can install Falco in every Kubernetes node, bake Falco as a second container in the pod, or you can use a Daemon Set to inject a Falco pod in them.
Using a DaemonSet is a better and more flexible option, as it requires the least amount of changes in the Dev function and also does not take a toll on the Ops function as the first option requires. Also, it is Kubernetes-native, so it is the preferred way.
Let’s now go hands-on and see Falco in action. For the prerequisites, you need a running Kubernetes cluster.
Helm is the package manager for Kubernetes, and it helps a lot if you have it installed. We will install Falco using a Helm chart, so we need to install Helm first in our cluster. Ignore the step below if you have already installed Helm in your cluster.
Installing Helm is simple. Download the latest package for your OS, untar it, and move it to your path:
tar -xvf helm-v3.3.4-linux-amd64.tar.gz
chmod +x linux-amd64/helm
mv linux-amd64/helm /usr/local/bin/
Now let’s install Falco using the official Helm chart.
falcosecurity Helm repo first and update the repo:
$ helm repo add falcosecurity https://falcosecurity.github.io/charts
"falcosecurity" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "falcosecurity" chart repository
Update Complete. ⎈Happy Helming!⎈
Now, let’s install Falco using the Helm chart:
$ helm install falco falcosecurity/falco
LAST DEPLOYED: Fri Oct 16 07:06:24 2020
TEST SUITE: None
Falco agents are spinning up on each node in your cluster. After a few
seconds, they are going to start monitoring your containers looking for
security issues.No further action should be required.
Helm spins up a Falco DaemonSet, and we should see a Falco pod in every node. Let’s get the pods to find out:
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE NODE
falco-cgvxc 1/1 Running 0 6m53s kind-control-plane
falco-f9526 1/1 Running 0 6m53s kind-worker2
falco-rx2gj 1/1 Running 0 6m53s kind-worker
Congratulations! We have successfully installed Falco and it is running on all nodes.
Time for some testing! We’ll create an NGINX pod and try to do several activities that we wouldn’t normally do.
Create an NGINX pod:
kubectl run nginx --image=nginx
Now let’s get the pods to see on which node it has launched:
kubectl get pod nginx -o wide
NAME READY STATUS RESTARTS AGE NODE
nginx 1/1 Running 0 2m kind-worker
As we know, the NGINX pod is present in the kind-worker node. The corresponding Falco pod is
Let’s open a duplicate window and do the following in the left-hand window whilst tailing the Falco container logs using
kubectl logs falco-rx2gj in the right-hand window:
- Launch a shell on the NGINX container.
- Cat a sensitive file
- Exit from shell.
As you can see, logs appear in the right-hand window whenever we do activities that are a potential security breach.
You can also export these logs to a monitoring tool like Prometheus or Grafana, and you can trigger a webhook to Slack for immediate notification as well.
Falco is a prevalent runtime security tool for Kubernetes, and I recommend using it in all environments — especially production. A useful feature is that you can also modify the rules to suit your requirements, and therefore, you can save yourself from a lot of false alerts.
Thanks for reading! I hope you enjoyed the article!