Kubernetes runtime security tool: Falco

what is Kubernetes runtime security tool

Kubernetes runtime security tools are software solutions designed to monitor, analyze, and protect containerized applications and their associated infrastructure at runtime within a Kubernetes environment. Kubernetes, an open-source container orchestration platform, allows for the deployment, scaling, and management of containerized applications. However, ensuring the security of these applications and the overall Kubernetes infrastructure during runtime is crucial to prevent unauthorized access, detect suspicious activities, and respond to potential security threats.

Popular Kubernetes runtime security tools include Falco, Sysdig Secure, Aqua Security, Twistlock (now part of Palo Alto Networks), and NeuVector, among others. These tools help organizations enhance the security posture of their Kubernetes deployments by providing visibility into the runtime environment and enabling proactive security measures to protect against potential threats and vulnerabilities.

Falco is an open-source cloud-native runtime security project designed to provide real-time intrusion detection and alerting for containerized applications and cloud-native environments. Initially incubated within the CNCF (Cloud Native Computing Foundation), Falco is now a graduate project under the CNCF, highlighting its maturity and widespread adoption. The tool is tailored for environments that utilize technologies such as Kubernetes, containers, and microservices, addressing the need for security in highly dynamic and complex infrastructures. It leverages the power of the Linux kernel and eBPF (extended Berkeley Packet Filter) to inspect system calls and events at the kernel level, enabling it to detect and alert suspicious activities and potential security threats.

Falco utilizes a set of rules and filters that define what is considered anomalous behaviour within the system. These rules are highly customizable, allowing organizations to tailor them to their specific use cases and security requirements. The alerts generated by Falco can be directed to various outputs, including standard logs, security information and event management (SIEM) systems, or other monitoring tools, facilitating integration into existing security ecosystems.

One of Falco’s key strengths lies in its ability to provide deep insights into the runtime behaviour of applications and their interactions with the underlying system. It can detect a wide range of security incidents, from privilege escalations and unauthorized access attempts to file and network activities that could be indicative of a compromise. This visibility into runtime activity enhances incident response capabilities, enabling faster detection and remediation of security incidents.

Moreover, the open-source nature of Falco encourages community contributions, fostering a collaborative environment for improving and expanding its capabilities. The community actively develops new rules, integrations, and plugins to enhance Falco’s functionality and compatibility with evolving technologies. Furthermore, Falco has gained traction in the DevSecOps landscape, promoting the integration of security into the development and deployment pipelines, and ultimately enhancing the overall security posture of cloud-native applications and environments.

Installing Falco

There are multiple installation ways for Falco in Kubernetes, we are using the simplest way of installing using Helm

Before installing Falco I recommend installing the elastic search to push out events logs from the Falco for better visualization

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

helm install falco falcosecurity/falco \
--set driver.kind=ebpf \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--set collectors.containerd.enabled=true \
--set collectors.containerd.socket=/run/k3s/containerd/containerd.sock \
--set falcosidekick.config.googlechat.webhookurl="<google_chat_webhook_url>" \
--set falcosidekick.config.googlechat.outputformat="all" \
--set falcosidekick.config.googlechat.minimumpriority="critical" \
--set falcosidekick.config.elasticsearch.hostport="<elasticsearch_host_port>" \
--set falcosidekick.config.elasticsearch.username="<elasticsearch_username>" \
--set falcosidekick.config.elasticsearch.password="<elasticsearch_password>" \
--set falcosidekick.config.elasticsearch.checkcert=false \
--namespace falco \
--create-namespace

— set driver.kind=ebpf:

Sets the Falco driver kind to “ebpf,” indicating the use of eBPF (extended Berkeley Packet Filter) as the kernel-level instrumentation method for monitoring system calls and events.

— set falcosidekick.enabled=true:

Enables Falcosidekick, a companion tool that enhances Falco’s functionality by enabling various output integrations for alerts, including messaging services and storage systems.

— set falcosidekick.webui.enabled=true:

Enables the Falcosidekick web UI, allowing visualization and management of Falco alerts through a graphical interface.
— set collectors.containerd.enabled=true:

Enables the collector for containerd, a container runtime, allowing Falco to collect and analyze events related to containers managed by contained.

— set collectors.containerd.socket=/run/k3s/containerd/containerd.sock:

Specifies the socket path for the containerd collector, allowing Falco to communicate with the containerd runtime via the specified Unix domain socket.

— set falcosidekick.config.googlechat.webhookurl=”…”:

Sets the Google Chat webhook URL to which Falcosidekick will send alerts in Google Chat, ensuring that alerts are sent to the specified Google Chat room or channel.

— set falcosidekick.config.googlechat.outputformat=”all”:

Specifies the output format for Google Chat messages, indicating that all available information should be included in the Google Chat alerts.

— set falcosidekick.config.googlechat.minimumpriority=”critical”:

Sets the minimum priority for Falco alerts to be sent to Google Chat, ensuring that only alerts with a priority of “critical” or higher are sent.

— set falcosidekick.config.elasticsearch.hostport=”…”:

Sets the Elasticsearch host and port to which Falcosidekick will send alerts, allowing Falcosidekick to push alerts to the specified Elasticsearch instance.

— set falcosidekick.config.elasticsearch.username=”…”:

Specifies the Elasticsearch username for authentication when sending alerts to Elasticsearch.

— set falcosidekick.config.elasticsearch.password=”…”:

Specifies the Elasticsearch password for authentication when sending alerts to Elasticsearch.

— set falcosidekick.config.elasticsearch.checkcert=false:

Disables certificate validation for the Elasticsearch connection, allowing Falcosidekick to connect to the Elasticsearch instance without validating the certificate.

— namespace falco:

Specifies the Kubernetes namespace “falco” in which the Falco deployment and related resources will be created.

— create-namespace:

Instructs Helm to create the “Falco” namespace if it does not already exist.

These --set values customize the Falco deployment, enabling specific features and integrations, and configuring Falcosidekick for additional alerting capabilities. Adjusting these values allows tailoring Falco to specific use cases and integration requirements.

the full list of configurations can be found from

https://github.com/falcosecurity/charts/tree/master/falcosidekick?source=post_page-----135b1a40bd5e---------------------------------------

Creating a Virtual Service for Falco Dashboard

To access the Falco dashboard securely, we’ll create a Virtual Service in Kubernetes that directs traffic to the Falco UI.

First, create a YAML file (e.g., falco-dashboard-virtual-service.yaml) and add the following content:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: falco-dashboard-ingress
namespace: falco
spec:
rules:
- host: falco-dashboard.your-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: falco
port:
number: 2801

Now you can access the Falco dashboard by navigating to http://falco-dashboard.your-domain.com. This Virtual Service directly routes traffic to the Falco UI service on port 2801, simplifying the setup. Explore further integration options and tailor the dashboard to meet your organization's specific requirements.

Worried about security in your dynamic Kubernetes environment? Don’t let those anxieties hold you back! Explore Falco, the open-source runtime security tool for real-time intrusion detection. This DevOps focused guide empowers you to safeguard containerized applications and infrastructure, boosting your security posture. Gain peace of mind and let Falco watch over your Kubernetes world!