How To Set Up Runtime Container Security Monitoring with Falco Using Helm and Kubernetes
I write this to complete the Kubernetes challenge from Digital Ocean. I executed the command from Windows 11.
Step 1 — Creating Kubernetes Cluster
First, creating a Kubernetes cluster:
doctl k8s cluster create k8s-falco `
--auto-upgrade=false `
--node-pool "name=k8s-falco;size=s-4vcpu-8gb-amd;count=3;tag=k8s-falco;label=type=basic;auto-scale=true;min-nodes=2;max-nodes=4" `
--region sgp1
This is the output:
Next, set kubectl
context to point to my cluster:
doctl kubernetes cluster kubeconfig save k8s-falco
The output looks similar to this:
Test connection to my cluster:
kubectl get namespaces
This is the output:
Step 2— Set Up Falco with Helm
The source code I need is in the helm chart. I clone it from https://github.com/falcosecurity/charts
Change directory to charts/falco
Fetch missing dependencies:
helm dependency build
The output:
Install Falco with helm:
helm install falco .
The output should look familiar:
Check the result:
kubectl get pods
The output:
Verify the log:
kubectl logs -f falco-w8gnh
The output:
I can see the output is too much, so I want to decrease it by changing the priority log to error. :
Edit file charts/falco/values.yaml
, change priority:debug
to priority: error
Upgrade Falco:
helm upgrade falco .
The output:
Check the result:
kubectl get pods
The output:
Verify the log:
kubectl logs -f falco-76pc5
The better output for me:
Step 3— Install Applications for Testing Falco
Prepare the following yaml:
Run the following command to execute all yaml files above:
kubectl create namespace ping
kubectl create -f mysql-deployment.yaml --namespace=ping
kubectl create -f mysql-service.yaml --namespace=ping
kubectl create -f ping-deployment.yaml --namespace=ping
kubectl create -f ping-service.yaml --namespace=ping
kubectl create -f client-deployment.yaml --namespace=ping
The output:
Make sure the pods are ready:
kubectl get pods -n ping
The output:
Step 4— Hack the Web Application
Add a few custom rules to Falco with edit file charts/falco/rules/falco_rules.local.yaml
:
Upgrade Falco:
helm upgrade falco .
The output:
Verify the pods:
kubectl get pods
The output:
Verify if the new config has been configured:
kubectl exec -it falco-8t2dh /bin/bash
The output:
Run cat command to check file /etc/falco/falco_rules.local.yaml
. Verify that new custom rules are already there.
Continue with executing the arbitrary commands:
kubectl exec client -n ping -- curl -F "s=OK" -F "user=bad" -F "passwd=wrongpasswd' OR 'a'='a" --form-string "ipaddr=localhost; cat /var/www/html/ping.php" -X POST http://ping/ping.php
The output:
Check error in Falco:
kubectl logs -f — selector app=falco |Select-String “Error”
The Output:
So, my Falco has been approved that it works.