Black lives matter.
We stand in solidarity with the Black community.
Racism is unacceptable.
It conflicts with the core values of the Kubernetes project and our community does not tolerate it.
We stand in solidarity with the Black community.
Racism is unacceptable.
It conflicts with the core values of the Kubernetes project and our community does not tolerate it.
Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. This section describes how to set up Falco, how to send audit events to the Kubernetes Audit endpoint exposed by Falco, and how Falco applies a set of rules to automatically detect suspicious behavior.
Install Falco by using one of the following methods:
Once Falco is installed make sure it is configured to expose the Audit webhook. To do so, use the following configuration:
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s_audit
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
This configuration is typically found in the /etc/falco/falco.yaml
file. If Falco is installed as a Kubernetes DaemonSet, edit the falco-config
ConfigMap and add this configuration.
Create a kubeconfig file for the kube-apiserver webhook audit backend.
cat <<EOF > /etc/kubernetes/audit-webhook-kubeconfig
apiVersion: v1
kind: Config
clusters:
- cluster:
server: http://<ip_of_falco>:8765/k8s_audit
name: falco
contexts:
- context:
cluster: falco
user: ""
name: default-context
current-context: default-context
preferences: {}
users: []
EOF
Start kube-apiserver with the following options:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-webhook-config-file=/etc/kubernetes/audit-webhook-kubeconfig
Rules devoted to Kubernetes Audit Events can be found in k8s_audit_rules.yaml. If Audit Rules is installed as a native package or using the official Docker images, Falco copies the rules file to /etc/falco/
, so they are available for use.
There are three classes of rules.
The first class of rules looks for suspicious or exceptional activities, such as:
A second class of rules tracks resources being created or destroyed, including:
The final class of rules simply displays any Audit Event received by Falco. This rule is disabled by default, as it can be quite noisy.
For further details, see Kubernetes Audit Events in the Falco documentation.