falco-operator is a Kubernetes operator for Sysdig Falco.
To know more about the original Sysdig Falco and its Helm chart, have a look at stable/falco.
In simple workds, falco-operator helps DevSecOps.
With it, you can delegate writing a bunch of application-specific container behavioral monitoring rules to your application developer.
As a cluster administrator, all you have to do is:
- Deploy a
falco-operatorinto your cluster by using thehelmchart - Provide application developers correct RBAC roles and bindings to allow access to
falcoruleswithin their namespaces
After that, application developers can write a FalcoRule in their own namespaces:
apiVersion: "mumoshu.github.io/v1alpha1"
kind: "FalcoRule"
metadata:
name: "bash"
namespace: "default"
spec:
rule: shell_in_container
desc: notice shell activity within a container
condition: container.id != host and proc.name = bash
output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
priority: WARNINGThen, falco-operator takes care of the rest. It:
- Watches for
FalcoRules, group by namespaces, - Creates a Falco Rules file per namespace
- Restart
falcorunning on each node in your cluster
If you are familiar with falco rules files, the above FalcoRule is translated to a rules file like:
/var/falco-operator/rules/default.yaml:
- rule: shell_in_container
desc: notice shell activity within a container
condition: container.id != host and proc.name = bash
output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
priority: WARNINGfalco-operator automatically clones /etc/falco/falco.yaml to /var/falco-operator/falco.yaml, adding the generated rules files to rules: that looks:
/var/falco-operator/falco.yaml:
rules:
- /var/falco-operator/rules/default.yamlThe operator points falco to the falco.yaml and (re)start it, so that the generated configuration is taken into account:
/usr/bin/falco -c /var/falco-operator/falco.yamlhelm tiller run -- \
helm upgrade --install fo1 charts/falco-operator \
--recreate-pods \
--values charts/falco-operator/values.yaml \
--namespace kube-system
$ kubectl create -f examples/bash.falcorule.yamlVerity that falco-operator triggers an alert for the rule created from the custom resource:
$ kubectl run --image redis --restart Never myredis
$ kubectl exec -it myredis bash$ ks logs fo1-falco-operator-falco-v97rc
/var/falco-operator/rules/test1: test1
/var/falco-operator/rules: rules
Watching 2 files
ignoring dir of /var/falco-operator/rules/..2018_10_04_14_02_09.952277388/test1
ignoring /var/falco-operator/rules/..data
/var/falco-operator/rules/test1 has been updated
starting app...
[dancer-crack] 2018/10/04 14:02:10 Started with PID 10
[dancer-crack] 2018/10/04 14:02:10 out: * Setting up /usr/src links from host
[dancer-crack] 2018/10/04 14:02:10 out: ls: cannot access '/host/usr/src': No such file or directory
[dancer-crack] 2018/10/04 14:02:10 out: * Mounting debugfs
[dancer-crack] 2018/10/04 14:02:10 out: Found kernel config at /proc/config.gz
[dancer-crack] 2018/10/04 14:02:10 out: * Minikube detected (v0.28.1), downloading and setting up kernel headers
[dancer-crack] 2018/10/04 14:02:10 out: * Downloading http://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.gz
kuoka-yusuke-3:falco-operator kuoka-yusuke$ ks logs fo1-falco-operator-falco-v97rc -f
/var/falco-operator/rules/test1: test1
/var/falco-operator/rules: rules
Watching 2 files
ignoring dir of /var/falco-operator/rules/..2018_10_04_14_02_09.952277388/test1
ignoring /var/falco-operator/rules/..data
/var/falco-operator/rules/test1 has been updated
starting app...
[dancer-crack] 2018/10/04 14:02:10 Started with PID 10
[dancer-crack] 2018/10/04 14:02:10 out: * Setting up /usr/src links from host
[dancer-crack] 2018/10/04 14:02:10 out: ls: cannot access '/host/usr/src': No such file or directory
[dancer-crack] 2018/10/04 14:02:10 out: * Mounting debugfs
[dancer-crack] 2018/10/04 14:02:10 out: Found kernel config at /proc/config.gz
[dancer-crack] 2018/10/04 14:02:10 out: * Minikube detected (v0.28.1), downloading and setting up kernel headers
[dancer-crack] 2018/10/04 14:02:10 out: * Downloading http://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.gz