Deploying Falco to Kubernetes

A secure Kubernetes deployment benefits from Kubernetes specific security tools. One high quality open source tool is Falco. Falco is an intrusion detection system that reports suspicious Kubernetes events that a security admin might want to know about. This is an IDS, so it can be chatty. I found that it will report lots of less than useful system call event drops. You can easily opt to log and not notify you about these events, which is what I am choosing to do for now.

Here is a quick guide to deploying Falco on Kubernetes

This app will run as a daemon set and require about 1 GB of memory per node.

I am assuming you already have a functional Kubernetes cluster with Helm.

Step 1: Create an AWS SNS topic and setup an email to send events to

Step 2: Create a specific IAM account to publish to this topic

Step 3: Deploy Falco with Helm. Most popular installations e.g. KOPS or Kubespray on EC2-Linux or Ubuntu will automatically install without issues. Some less popular installations might require you to install a kernel module.

Be sure to replace FULL_ARN_FOR_CLOUD_WATCH_TOPIC, YOUR_AWS_REGION, YOUR_SNS_SERVICE_ACCOUNT_ACCESS_KEY, and YOUR_SNS_SERVICE_ACCOUNT_SECRET_KEY with your settings in the command listed below.

helm install --set falco.syscallEventDrops.actions={log}\
             --set integrations.snsOutput.enabled=true\
             --set integrations.snsOutput.topic=FULL_ARN_FOR_CLOUD_WATCH_TOPIC 
             --set integrations.snsOutput.aws_default_region=YOUR_AWS_REGION\
 --set\
integrations.snsOutput.aws_access_key_id=YOUR_SNS_SERVICE_ACCOUNT_ACCESS_KEY --set\
integrations.snsOutput.aws_secret_access_key=YOUR_SNS_SERVICE_ACCOUNT_SECRET_KEY\
stable/falco

More information can be found on Github: https://github.com/falcosecurity/falco