falco-operator

command module
v0.0.0-...-8017ab7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 30, 2019 License: Apache-2.0 Imports: 2 Imported by: 0

README

falco-operator

falco-operator is a Kubernetes operator for Sysdig Falco.

To know more about the original Sysdig Falco and its Helm chart, have a look at stable/falco.

Introduction

In simple workds, falco-operator helps DevSecOps.

With it, you can delegate writing a bunch of application-specific container behavioral monitoring rules to your application developer.

As a cluster administrator, all you have to do is:

  • Deploy a falco-operator into your cluster by using the helm chart
  • Provide application developers correct RBAC roles and bindings to allow access to falcorules within their namespaces

After that, application developers can write a FalcoRule in their own namespaces:

apiVersion: "mumoshu.github.io/v1alpha1"
kind: "FalcoRule"
metadata:
  name: "bash"
  namespace: "default"
spec:
  rule: shell_in_container
  desc: notice shell activity within a container
  condition: container.id != host and proc.name = bash
  output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
  priority: WARNING

Then, falco-operator takes care of the rest. It:

  • Watches for FalcoRules, group by namespaces,
  • Creates a Falco Rules file per namespace
  • Restart falco running on each node in your cluster

How it works

If you are familiar with falco rules files, the above FalcoRule is translated to a rules file like:

/var/falco-operator/rules/default.yaml:

- rule: shell_in_container
  desc: notice shell activity within a container
  condition: container.id != host and proc.name = bash
  output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
  priority: WARNING

falco-operator automatically clones /etc/falco/falco.yaml to /var/falco-operator/falco.yaml, adding the generated rules files to rules: that looks:

/var/falco-operator/falco.yaml:

rules:
- /var/falco-operator/rules/default.yaml

The operator points falco to the falco.yaml and (re)start it, so that the generated configuration is taken into account:

/usr/bin/falco -c /var/falco-operator/falco.yaml

Getting Started

helm tiller run -- \
  helm upgrade --install fo1 charts/falco-operator \
  --recreate-pods \
  --values charts/falco-operator/values.yaml \
  --namespace kube-system

$ kubectl create -f examples/bash.falcorule.yaml

Verity that falco-operator triggers an alert for the rule created from the custom resource:

$ kubectl run --image redis --restart Never myredis

$ kubectl exec -it myredis bash

$ ks logs fo1-falco-operator-falco-v97rc
/var/falco-operator/rules/test1: test1
/var/falco-operator/rules: rules

Watching 2 files
ignoring dir of /var/falco-operator/rules/..2018_10_04_14_02_09.952277388/test1
ignoring /var/falco-operator/rules/..data
/var/falco-operator/rules/test1 has been updated
starting app...
[dancer-crack] 2018/10/04 14:02:10 Started with PID 10
[dancer-crack] 2018/10/04 14:02:10 out: * Setting up /usr/src links from host
[dancer-crack] 2018/10/04 14:02:10 out: ls: cannot access '/host/usr/src': No such file or directory
[dancer-crack] 2018/10/04 14:02:10 out: * Mounting debugfs
[dancer-crack] 2018/10/04 14:02:10 out: Found kernel config at /proc/config.gz
[dancer-crack] 2018/10/04 14:02:10 out: * Minikube detected (v0.28.1), downloading and setting up kernel headers
[dancer-crack] 2018/10/04 14:02:10 out: * Downloading http://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.gz
kuoka-yusuke-3:falco-operator kuoka-yusuke$ ks logs fo1-falco-operator-falco-v97rc -f
/var/falco-operator/rules/test1: test1
/var/falco-operator/rules: rules

Watching 2 files
ignoring dir of /var/falco-operator/rules/..2018_10_04_14_02_09.952277388/test1
ignoring /var/falco-operator/rules/..data
/var/falco-operator/rules/test1 has been updated
starting app...
[dancer-crack] 2018/10/04 14:02:10 Started with PID 10
[dancer-crack] 2018/10/04 14:02:10 out: * Setting up /usr/src links from host
[dancer-crack] 2018/10/04 14:02:10 out: ls: cannot access '/host/usr/src': No such file or directory
[dancer-crack] 2018/10/04 14:02:10 out: * Mounting debugfs
[dancer-crack] 2018/10/04 14:02:10 out: Found kernel config at /proc/config.gz
[dancer-crack] 2018/10/04 14:02:10 out: * Minikube detected (v0.28.1), downloading and setting up kernel headers
[dancer-crack] 2018/10/04 14:02:10 out: * Downloading http://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.gz

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
cmd
falco-operator
pkg
apis/mumoshu/v1alpha1
+k8s:deepcopy-gen=package +groupName=mumoshu.github.io
 +k8s:deepcopy-gen=package +groupName=mumoshu.github.io
operator
proc
stub

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.