Open in app

Sign in

Write

Sign in

How To Set Up Runtime Container Security Monitoring with Falco Using Helm and Kubernetes

Muhammad Azmi Farih
4 min readDec 8, 2021

I write this to complete the Kubernetes challenge from Digital Ocean. I executed the command from Windows 11.

Step 1 — Creating Kubernetes Cluster

First, creating a Kubernetes cluster:

doctl k8s cluster create k8s-falco `
  --auto-upgrade=false `
  --node-pool "name=k8s-falco;size=s-4vcpu-8gb-amd;count=3;tag=k8s-falco;label=type=basic;auto-scale=true;min-nodes=2;max-nodes=4" `
  --region sgp1

This is the output:

Next, set kubectlcontext to point to my cluster:

doctl kubernetes cluster kubeconfig save k8s-falco

The output looks similar to this:

Test connection to my cluster:

kubectl get namespaces

This is the output:

Step 2— Set Up Falco with Helm

The source code I need is in the helm chart. I clone it from https://github.com/falcosecurity/charts

Change directory to charts/falco

Fetch missing dependencies:

helm dependency build

The output:

Install Falco with helm:

helm install falco .

The output should look familiar:

Check the result:

kubectl get pods

The output:

Verify the log:

kubectl logs -f falco-w8gnh

The output:

I can see the output is too much, so I want to decrease it by changing the priority log to error. :

Edit file charts/falco/values.yaml, change priority:debug to priority: error

Upgrade Falco:

helm upgrade falco .

The output:

Check the result:

kubectl get pods

The output:

Verify the log:

kubectl logs -f falco-76pc5

The better output for me:

Step 3— Install Applications for Testing Falco

Prepare the following yaml:

Run the following command to execute all yaml files above:

kubectl create namespace ping
kubectl create -f mysql-deployment.yaml --namespace=ping
kubectl create -f mysql-service.yaml --namespace=ping
kubectl create -f ping-deployment.yaml --namespace=ping
kubectl create -f ping-service.yaml --namespace=ping
kubectl create -f client-deployment.yaml --namespace=ping

The output:

Make sure the pods are ready:

kubectl get pods -n ping

The output:

Step 4— Hack the Web Application

Add a few custom rules to Falco with edit file charts/falco/rules/falco_rules.local.yaml:

Upgrade Falco:

helm upgrade falco .

The output:

Verify the pods:

kubectl get pods

The output:

Verify if the new config has been configured:

kubectl exec -it falco-8t2dh /bin/bash

The output:

Run cat command to check file /etc/falco/falco_rules.local.yaml. Verify that new custom rules are already there.

Continue with executing the arbitrary commands:

kubectl exec client -n ping -- curl -F "s=OK" -F "user=bad" -F "passwd=wrongpasswd' OR 'a'='a" --form-string "ipaddr=localhost; cat /var/www/html/ping.php" -X POST http://ping/ping.php

The output:

Check error in Falco:

kubectl logs -f — selector app=falco |Select-String “Error”

The Output:

So, my Falco has been approved that it works.

Falco
Kubernetes
Helm
Digitalocean
Charts

--

--

Muhammad Azmi Farih

Written by Muhammad Azmi Farih

4 Followers

Linux Engineer — Sharing experiences configuring, fixing servers — Docker, Kubernetes, Ubuntu, CentOS

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams