Falco – Falcosidekickhttps://v0-43--falcosecurity.netlify.app/tags/falcosidekick/Recent content in Falcosidekick on FalcoHugo -- gohugo.ioenTue, 04 Feb 2025 00:00:00 +0000Blog: Falcosidekick 2.31.0https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-31-0/Tue, 04 Feb 2025 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-31-0/ <p>The year 2025 is well started now. We saw a few days ago <a href="https://v0-43--falcosecurity.netlify.app/blog/falco-0-40-0/">the first release of Falco for the year</a>. It's to let fly out a new version of Falcosidekick, the 2.31.0.</p> <h2 id="new-output">New output</h2> <p>This release comes with a new output only, the last pillar of the observability with [OpenTelemetry].(<a href="https://opentelemetry.io/">https://opentelemetry.io/</a>) that missing in Falcosidekick.</p> <h3 id="otlp-metrics">OTLP Metrics</h3> <p>You can now forward the Falco Events to the OpenTelemetery collector or any received understanding the protocol.</p> <h2 id="new-features">New features</h2> <p>Here's a non exhaustive list of the great features and enhancements which come with this new release:</p> <h3 id="better-logger">Better logger</h3> <p>It was a ToDo for a while (even years), but it's now completed. The log system used by Falcosidekick has been replaced, without any breaking change for the users, but opening the door to more enhancements in the future.</p> <h3 id="more-default-labels-for-loki">More default labels for Loki</h3> <p>The log lines forwarded to <code>Loki</code> contain now by default the source namespace and pod name, if present in the alert. It will allow to filter more easily the events you want to display in your dashboards. Thanks to <a href="https://github.com/afreyermuth98">@afreyermuth98</a>.</p> <h3 id="payload-format-for-loki">Payload format for Loki</h3> <p>Some users asked for the possibility to forward the Falco alerts in their JSON format to <code>Loki</code>. You can now use the setting <code>loki.format</code> for.</p> <h3 id="nats-stan-subject">NATS/STAN subject</h3> <p>The template for the subject where to push the messages for <code>NATS</code>/<code>STAN</code> was hardcoded, it can now be overridden with <code>nats/stan.subjecttemplate</code>. See the <a href="https://github.com/falcosecurity/falcosidekick/blob/5af88e588a263d3b4ca20f8f13650369111cb249/config_example.yaml#L167">example config file</a>.</p> <h2 id="fixes">Fixes</h2> <ul> <li>Fix the missing templated fields as labels in <code>Loki</code> payload (<a href="https://github.com/falcosecurity/falcosidekick/pull/1091">PR#1091</a>)</li> <li>Fix the creation error of a <code>ClusterPolicyReport</code> (<a href="https://github.com/falcosecurity/falcosidekick/pull/100">PR#1100</a>)</li> <li>Fix the missing custom headers for HTTP requests for <code>Loki</code> (<a href="https://github.com/falcosecurity/falcosidekick/pull/1107">PR#1107</a> thanks to <a href="https://github.com/lsroe">@lsroe</a>)</li> <li>Fix the wrong key format of custom fields for <code>Prometheus</code> (<a href="https://github.com/falcosecurity/falcosidekick/pull/1110">PR#1110</a> thanks to <a href="https://github.com/rubensf">@rubensf</a>)</li> </ul> <h2 id="conclusion">Conclusion</h2> <p>You can find the full changelog <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.31.0">here</a>.</p> <p>The respective Helm charts are already updated and allow you to test by yourself all these great new features. Just issue the <code>helm repo update; helm upgrade --reuse-values -n falco</code> command to do so.</p> <p>Once again, thanks to all the adopters and contributors who helped and contributed to this project all these years. We would never have reached this success without you.</p> <hr> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a></li> <li>Check out the <a href="https://github.com/falcosecurity/falcosidekick">Falcosidekick project on GitHub</a>.</li> <li>Check out the <a href="https://docs.falco-talon.org">Falco Talon project docs</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Falcosidekick 2.30.0https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-30-0/Wed, 04 Dec 2024 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-30-0/ <p>A few days after a new release of <a href="https://falco.org/blog/falco-talon-v0-2-0/">Falco Talon</a>, our response engine, it's time for our favorite proxy forwarder to do the same.</p> <h2 id="new-outputs">New outputs</h2> <p>A new release means new integrations. Thanks to our contributors for their helps.</p> <h3 id="webex">Webex</h3> <p>Notify your team on Webex with the integration developed by <a href="https://github.com/k0rventen">@k0rventen</a>.</p> <h3 id="otlp-metrics">OTLP Metrics</h3> <p>The adoption of Open Telemetry is bigger and bigger in the Cloud Native ecosystem, <a href="https://github.com/ekoops">@ekoops</a> introduced the OTLP Metrics in Falcosidekick.</p> <h3 id="datalog-logs">Datalog Logs</h3> <p>The Falco alerts can be forwarded to <code>Datadog</code> as events for a while in Falcosidekick, you can now use their Logs service thanks to <a href="https://github.com/yohboy">@yohboy</a>.</p> <h2 id="new-features">New features</h2> <p>Here's a non exhaustive list of the great features and enhancements which come with this new release:</p> <h3 id="x3-throughput">x3 throughput</h3> <p><a href="https://github.com/aleksmaus">@alekmaus</a> spotted a bottleneck with the http client used to forward the events to the outputs. His fix increases up to 300% the throughput!!!</p> <h3 id="better-integration-with-elasticsearch">Better integration with Elasticsearch</h3> <p><a href="https://github.com/aleksmaus">@alekmaus</a> worked hard to improve the integration with <code>Elasticsearch</code>. In addition improvments for the clients, new settings have been introduced, like the possibility to specify an <code>ingest pipeline</code> or an <code>api key</code>, to enable <code>batching</code> and <code>compression</code>. See the <a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md">docs</a> to know them all.</p> <h3 id="better-consistency-for-the-prometheus-metrics">Better consistency for the Prometheus metrics</h3> <p>Falco recently integrated a direct endpoint to expose metrics in the Prometheus format. After a lot of discussions between the maintainers and the community, a convention has been chosen for the names of the metrics. This release adapts the metrics exposed by Falcosidekick to follow this convention and have a consistency accross the different components of the ecosystem.</p> <div class="card card-sm pageinfo pageinfo-warning my-4"> <div class="card-body"> <div class="card-text"> <p>Breaking changes: The renaming of the metrics might impact the queries for your alerts and dashboards.</p> </div> </div> </div> <h3 id="multi-hosts-for-alertmanager">Multi hosts for AlertManager</h3> <p>You can now specify a list of servers for the <code>AlertManager</code> output, which is a requirement when it's deployed in HA mode.</p> <h2 id="fixes">Fixes</h2> <p>The contributors fixed several bugs, here's a non exhaustive list of the more important ones:</p> <ul> <li>Fix <code>PolicyReports</code> created in the same namespace than the previous event (<a href="https://github.com/falcosecurity/falcosidekick/pull/978">PR#978</a>)</li> <li>Fix the missing <code>customFields/extraFields</code> in the <code>Elasticsearch</code> payload (<a href="https://github.com/falcosecurity/falcosidekick/pull/1033">PR#1033</a>)</li> <li>Fix the incorrect key name for <code>CloudEvent</code> spec attribute (<a href="https://github.com/falcosecurity/falcosidekick/pull/1051">PR#1051</a>)</li> </ul> <h2 id="conclusion">Conclusion</h2> <p>You can find the full changelog <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.30.0">here</a>.</p> <p>The respective Helm charts are already updated and allow you to test by yourself all these great new features. Just issue the <code>helm repo update; helm upgrade --reuse-values -n falco</code> command to do so.</p> <p>Once again, thanks to all the adopters and contributors who helped and contributed to this project all these years. We would never have reached this success without you.</p> <hr> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a></li> <li>Check out the <a href="https://github.com/falcosecurity/falcosidekick">Falcosidekick project on GitHub</a>.</li> <li>Check out the <a href="https://docs.falco-talon.org">Falco Talon project docs</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Falcosidekick 2.29.0https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-29-0/Tue, 02 Jul 2024 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-29-0/ <p>Almost 1 year without a release of Falcosidekick, but version 2.29.0 is finally here. Thanks to all contributors for their patience, you made amazing contributions and we're happy to finally have them available for all users.</p> <p>Like for every releases, a small recap about its adoption. Falcosidekick continues to be adopted, even if the rate is not as high as before, but we're sure it will explode once again with this new fresh version.</p> <p><img src="images/falcosidekick-docker-pulls.png" alt="" loading="lazy" /> </p> <p>Once more, Falcosidekick expands Falco's integrability with a lot of new outputs. That and the introduction of many new features has been possible thanks to the hard work of the community. You can find a comprehensive list of these in the <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.29.0">changelog</a>.</p> <h2 id="new-outputs">New outputs</h2> <p>More and more systems are integrated as outputs in Falcosidekick, more and more often directly by the companies themselves and not their end users. It shows Falco and Falcosidekick are seen as major components in the security fields, and trusted as de facto standards.</p> <h3 id="dynatrace">Dynatrace</h3> <p>Mario Kahlhofer, aka <a href="https://github.com/@blu3r4y">@blu3r4y</a>, from Dynatrace, integrated the well known observability and security platform he works for. You can even read his <a href="https://www.dynatrace.com/news/blog/ttp-based-threat-hunting-solves-alert-noise/">blog post about</a>, to discover how to correlate the Falco events with their APM agent events.</p> <p><img src="images/dynatrace.png" alt="" loading="lazy" /> </p> <h3 id="sumologic">Sumologic</h3> <p>Carlo Mencarelli, aka <a href="https://github.com/mencarellic">@mencarellic</a>, did the exporter of the Falco events to <a href="https://www.sumologic.com/">Sumologic</a>, the SaaS platform for your logs.</p> <p><img src="images/sumologic.png" alt="" loading="lazy" /> </p> <h3 id="otlp-traces">OTLP Traces</h3> <p>It started as an internal hackaton at <a href="https://grafana.com/">Grafana Labs</a> and became a real integration thanks to JuanJo Ciarlante (<a href="https://github.com/jjo">@jjo</a>). You can now export the Falco event as traces, to have an automatic correlation between the detected events.</p> <blockquote> <p>[!WARNING] It works only for the syscall related events.</p> </blockquote> <p><img src="images/otlp-traces.png" alt="" loading="lazy" /> </p> <h3 id="quickwit">Quickwit</h3> <p>After a demo of Falco at a CNCF Meetup, the <a href="https://quickwit.io/">Quickwit</a> team wanted to add their product as a new output for Falcosidekick, and they did it. You can now easily index your Falco events in their search engine thanks to the work of Idriss Neumann (<a href="https://github.com/idrissneumann">@idrissneumann</a>).</p> <p><img src="images/quickwit.png" alt="" loading="lazy" /> </p> <h3 id="falco-talon">Falco Talon</h3> <p>New born in the Falco ecosystem, trying to complete the last missing piece: the reaction. You can now forward the Falco events to <a href="https://docs.falco-talon.org">Falco Talon</a>, a tailor made no-code response engine for Falco. The project is still in alpha stage, but moves quickly. Stay tuned.</p> <p><img src="images/falco-talon.png" alt="" loading="lazy" /> </p> <h2 id="new-features">New features</h2> <p>Aside from new outputs, we introduced very important and useful new features. Let's do a recap of them.</p> <h3 id="revamp-of-the-policy-report-output">Revamp of the Policy Report output</h3> <p>The Policy Report feature in Kubernetes evolved since its integration in Falcosidekick, it was the time to do some clean up. The report now contains more information, and their displays in the <a href="https://github.com/kyverno/policy-reporter/tree/main?tab=readme-ov-file#policy-reporter-ui">Policy Reporter UI</a> is better.</p> <h3 id="new-outputfieldformat-setting">New outputFieldFormat setting</h3> <p>Some systems perform deduplication of the events, for example the on-call platforms. They use the content of the <code>output</code> to do so, but the current format starting with a timestamp prevents the process to run as expected. A new setting <code>outputFieldFormat</code> is now available allows to &quot;format&quot; the <code>output</code> field of the Falco payload before forwarding it to the outputs.</p> <p>The default format received from Falco is : <code>&lt;timestamp&gt;: &lt;priority&gt; &lt;output&gt;</code> which corresponds to this:</p> <pre tabindex="0"><code>14:37:27.505989596: Warning Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) </code></pre><p>By removing the <code>&lt;timestamp&gt;</code> and <code>&lt;priority&gt;</code>, you get:</p> <pre tabindex="0"><code>Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) </code></pre><div class="card card-sm pageinfo pageinfo-info my-4"> <div class="card-body"> <div class="card-text"> <p>If you use the settings <code>customFields</code> and <code>templatedFields</code> of Falcosidekick to inject new elements in the <code>output_fields</code>, it's also possible to have them in the <code>output</code> with the tokens <code>&lt;custom_fields&gt;</code> and <code>&lt;templated_fields&gt;</code>.</p> </div> </div> </div> <h3 id="alternative-endpoints-for-aws-s3">Alternative endpoints for AWS S3</h3> <p>Some projects like <a href="https://min.io/">Minio</a> are S3-compliant, you can now use them as target for the <code>AWS S3</code> output by changing the endpoint to use. Thanks to <a href="https://github.com/gysel">@gysel</a> for this feature.</p> <h3 id="split-of-the-docs">Split of the docs</h3> <p>The main README of the project became really huge over the years, with all those available outputs. We did a big refactor and you can now find one file per output, with more details about the configuration, the default values and some tips. The docs are <a href="https://github.com/falcosecurity/falcosidekick/tree/master/docs/outputs">here</a>, and any help is welcome to make them even better.</p> <h2 id="fixes">Fixes</h2> <p>The contributors fixed several bugs, here's a non exhaustive list of the more important ones:</p> <ul> <li>Fix missing root CA for the <code>Kafka</code> output (thanks to <a href="https://github.com/claviola">@claviola</a>)</li> <li>Fix bug with the extension <code>source</code> in the <code>CloudEvent</code> output</li> <li>Fix panics in the <code>Prometheus</code> output when <code>hostname</code> field is missing</li> <li>Fix locks in the <code>Loki</code> output (thanks to <a href="https://github.com/bsod90">@bsod90</a>)</li> <li>Fix mTLS client verification failures due to missing ClientCAs (thanks to <a href="https://github.com/jgmartinez">@jgmartinez</a>)</li> <li>Fix wrong env vars for pagerduty output</li> <li>Remove hard settings for usernames in <code>Mattermost</code> and <code>Rocketchat</code></li> <li>Fix multi lines json in the error lines (thanks to <a href="https://github.com/idrissneumann">@idrissneumann</a>)</li> <li>Fix duplicated custom headers in clients</li> <li>Fix the labels for the <code>AlertManager</code> output (thanks to <a href="https://github.com/Umaaz">@Umaaz</a>)</li> </ul> <h2 id="conclusion">Conclusion</h2> <p>You can find the full changelog <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.29.0">here</a>.</p> <p>The respective Helm charts are already updated and allow you to test by yourself all these great new features. Just issue the <code>helm repo update; helm upgrade --reuse-values -n falco</code> command to do so.</p> <p>Once again, thanks to all the adopters and contributors who helped and contributed to this project all these years. We would never have reached this success without you.</p> <hr> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a></li> <li>Check out the <a href="https://github.com/falcosecurity/falcosidekick">Falcosidekick project on GitHub</a>.</li> <li>Check out the <a href="https://docs.falco-talon.org">Falco Talon project docs</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Falcosidekick 2.28.0https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-28-0/Fri, 28 Jul 2023 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-28-0/ <p>It's summertime, it's hot, and many people are on vacation, but the Falco community is still there. Six months after the release of Falcosidekick's latest upgrade, version 2.28.0 becomes officially available.</p> <p>The number of pulls of the official Falcosidekick image from Docker Hub has also just reached 15M, which we consider mind-blowing. It took it 3 years to reach the first 5M pulls and now it's needed less than six months to do it again. Awesome!</p> <p><img src="images/falcosidekick-docker-pulls.png" alt="" loading="lazy" /> <img src="images/falcosidekick-docker-pulls-last-year.png" alt="" loading="lazy" /> </p> <p>Once more, Falcosidekick expands Falco's integrability with a lot of new outputs. That and the introduction of many new features has been possible thanks to the hard work of the community. You can find a comprehensive list of these in the <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.28.0">changelog</a>.</p> <h2 id="new-outputs">New outputs</h2> <p>With every new release, the number of integrations of Falcosidekick increases. We have reached the number of 58 available outputs already, and we hope the threshold of 60 will be left behind very soon.</p> <h3 id="redis">Redis</h3> <p><a href="https://redis.com">Redis</a> is a well-known in-memory database with many years of adoption on its path. It is now possible for Falcosidekick to use it as an output destination, thanks to the contributions of <a href="https://github.com/pandyamarut">pandyamarut</a>.</p> <h3 id="telegram">Telegram</h3> <p><a href="https://telegram.org/">Telegram</a>, the instant messaging platform, is becoming more and more used by companies for notifications, and thanks to <a href="https://github.com/zufardhiyaulhaq">zufardhiyaulhaq</a>, it can receive Falco alerts too.</p> <p><img src="images/falcosidekick-telegram.png" alt="" loading="lazy" /> </p> <h3 id="n8n">N8N</h3> <p>Do you want to extend the possibilities or just avoid developing a script to react to Falco events? Here comes <a href="https://n8n.io/">n8n</a>.</p> <p><img src="images/falcosidekick-n8n.png" alt="" loading="lazy" /> </p> <h3 id="grafana-oncall">Grafana OnCall</h3> <p>At the last KubeCon, we met with some of the Grafana maintainers. We discussed the integration of Falco using Falcosidekick within the OnCall project. It's done now.</p> <p><img src="images/falcosidekick-grafana-oncall.png" alt="" loading="lazy" /> </p> <h3 id="openobserve">OpenObserve</h3> <p><a href="https://openobserve.ai/">OpenObserve</a> is a young but promising full stack observability platform.</p> <p><img src="images/falcosidekick-openobserve.png" alt="" loading="lazy" /> </p> <h2 id="new-features">New features</h2> <p>Aside from new outputs, we introduced very important and useful new features. Let's do a recap of them.</p> <h3 id="use-different-methods-for-the-webhook-output">Use different methods for the Webhook output</h3> <p>Since its implementation, the Webhook output has only used the HTTP method <code>POST</code>. Now, you can choose between the <code>POST</code> and <code>PUT</code> methods to send your data, extending the catalog of possible REST APIs to use it with.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">webhook</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">method</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;POST&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># HTTP method: POST or PUT (default: POST)</span><span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="replace-the-brackets-in-the-payload">Replace the brackets in the payload</h3> <p>Some Falco fields refer to lists and reflect that their keys contain brackets, like <code>proc.args[0]</code>, <code>proc.args[1]</code>, etc. Unfortunately, some outputs may refuse payloads with brackets in keys. For this reason, we introduced the possibility of replacing them with any other chosen character:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">bracketreplacer</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;_&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># if not empty, the brackets in keys of Output Fields are replaced</span><span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="set-custom-headers-for-loki-elasticsearch-and-grafana-outputs">Set custom headers for Loki, Elasticsearch and Grafana outputs</h3> <p>If you want to protect your private instances of <code>Loki</code>, <code>Grafana</code>, or <code>Elasticsearch</code> you may need to specify custom headers. This new feature allows you to do so.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">elasticsearch</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">customHeaders</span>:<span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># Custom headers to add in POST. Useful for Authentication</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">key</span>:<span style="color:#bbb"> </span>value<span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="match-the-priority-with-the-severity-for-the-alertmanager-output">Match the priority with the severity for the AlertManager output</h3> <p><code>AlertManager</code> is a pretty common software at companies also using <code>Prometheus</code>. Until now, the mapping between the Priority of Falco events and the Severity of AlertManager was already predefined. You can now define it depending on your needs thanks to <a href="https://github.com/Lowaiz">Lowaiz</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">alertmanager</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">customseveritymap</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># comma separated list of tuple composed of a &#39;:&#39; separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: &#34;&#34;)</span><span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="set-thresholds-for-the-dropped-events-for-the-alertmanager-output">Set thresholds for the dropped events for the AlertManager output</h3> <p>Another contribution from <a href="https://github.com/Lowaiz">Lowaiz</a>: You can now configure a set of thresholds to start dropping the events.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">alertmanager</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># dropeventdefaultpriority: &#34;&#34; # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: &#34;critical&#34;)</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a &#39;:&#39; separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default</span>:<span style="color:#bbb"> </span>`&#34;10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning&#34;`)<span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="better-integration-with-timescaledb">Better integration with TimescaleDB</h3> <p>We thank <a href="https://github.com/hileef">hileef</a> for improving the integration with <code>TimescaleDB</code>.</p> <h3 id="user-rolearn-and-externalid-for-the-aws-outputs">User roleARN and externalID for the AWS outputs</h3> <p>Under some situations, you may want Falcosidekick to assume a role, possibly from another account. You can do it with the new pair of settings <code>rolearn</code> and <code>externalid</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">aws</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">rolearn</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># aws role to assume (optional if you use EC2 Instance Profile)</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">externalid</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># external id for the role to assume (optional if you use EC2 Instance Profile)</span><span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="set-the-region-for-the-pagerduty-output">Set the region for the PagerDuty output</h3> <p>Falcosidekick allows you to select between one of the two different regions' <code>PagerDuty</code> offers now.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">pagerduty</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">region</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;us&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># Pagerduty Region, can be &#39;us&#39; or &#39;eu&#39; (default: us)</span><span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="allow-tls-for-the-smtp-output">Allow TLS for the SMTP output</h3> <p>It is now possible to communicate with an <code>SMTP</code> server using TLS.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">smtp</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">tls: false # Use TLS connection (true/false). Default</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="set-attributes-to-gcp-pubsub-messages">Set attributes to GCP PubSUb messages</h3> <p><code>GCP PubSub</code> accepts attributes in its messages. You can specify yours, thanks to <a href="https://github.com/annadorottya">annadorottya</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">gcp</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">customAttributes</span>:<span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># Custom attributes to add to the Pub/Sub messages</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">key</span>:<span style="color:#bbb"> </span>value<span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="more-options-for-tls-and-mtls">More options for TLS and mTLS</h3> <p>These are the most relevant changes of this release. To improve security, Falcosidekick can now listen using HTTPS with TLS. You can also be more specific with the keys and certificates for the mTLS for the outputs.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">mutualtlsfilespath</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;/etc/certs&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: &#34;/etc/certs&#34;)</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># certfile: &#34;/etc/certs/client/client.crt&#34; # client certification file</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">keyfile</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;/etc/certs/client/client.key&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># client key</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">cacertfile</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;/etc/certs/client/ca.crt&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># for server certification</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">tlsserver</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># certfile: &#34;/etc/certs/server/server.crt&#34; # server certification file</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">keyfile</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;/etc/certs/server/server.key&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># server key</span><span style="color:#bbb"> </span></span></span></code></pre></div><div class="card card-sm pageinfo pageinfo-warning my-4"> <div class="card-body"> <div class="card-text"> <p>The <code>mutualtlsfilespath</code> setting is kept for now for backward compatibility but it will be remove in future</p> </div> </div> </div> <p>In some edge cases, you may need some endpoints to listen in HTTP only. You can specifically define them together with the associated port:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">tlsserver</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">notlsport: 2810 # port to serve http server serving selected endpoints (default</span>:<span style="color:#bbb"> </span><span style="color:#666">2810</span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">notlspaths</span>:<span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># if not empty, a separate http server will be deployed for the specified endpoints</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;/metrics&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;/healthz&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>Thanks to <a href="https://github.com/annadorottya">annadorottya</a> for her impressive work on this functionality.</p> <h3 id="autocreate-the-topic-for-the-kafka-output">Autocreate the topic for the Kafka output</h3> <p>When Falcosidekick doesn't detect the topic, it can create it automatically. This feature is not enabled by default.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kafka</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">topiccreation: false # auto create the topic if it doesn&#39;t exist (default</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span>)<span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="support-multiple-bootstrap-servers-and-tls-for-the-kafka-output">Support multiple bootstrap servers and TLS for the Kafka output</h3> <p>To get better resiliency, you can now specify several bootstrap servers and even communicate with them with TLS, thanks to <a href="https://github.com/ibice">ibice</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kafka</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">tls: false # Use TLS for the connections (default</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span>)<span style="color:#bbb"> </span></span></span></code></pre></div><h2 id="fixes">Fixes</h2> <p>We're not going to go into detail about all the corrections made in this version - you can find the full list <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.28.0">here</a>. Thanks to everyone who reported issues and to those who have corrected them.</p> <p>The most important have been:</p> <ul> <li>Fix breaking brackets in <code>AWS SNS</code> messages.</li> <li>Fix setting name for the table of <code>TimescaleDB</code> output (thanks to <a href="https://github.com/alika">alika</a>).</li> <li>Fix the cardinality issue with <code>Prometheus</code> labels.</li> <li>Fix panic when asserting output fields that are <code>nil</code>.</li> <li>Fix URL generation for <code>Spyderbat</code> output (thanks to <a href="https://github.com/bc-sb">bc-sb</a>).</li> <li>Fix <code>nil</code> values in <code>Spyderbat</code> output (thanks to <a href="https://github.com/spider-guy">spider-guy</a>).</li> <li>Fix duplicated headers in <code>SMTP</code> output (thanks to <a href="https://github.com/apsega">apsega</a>).</li> </ul> <h2 id="conclusion">Conclusion</h2> <p>The respective Helm charts are also updated and allow you to test for yourself all these great new features. Just issue the <code>helm repo update; helm upgrade --reuse-values -n falco</code> command to do so.</p> <p>Falcosidekick is now mentioned in the official <a href="https://v0-43--falcosecurity.netlify.app/docs/outputs/forwarding/">Falco docs</a>. It's a shy beginning, but more details will come shortly.</p> <p>Once again, thanks to all the adopters and contributors who helped and contributed to this project all these years. We would never have reached this success without you.</p> <hr> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a></li> <li>Check out the <a href="https://github.com/falcosecurity/falcosidekick">Falcosidekick project on GitHub</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falcosidekick-ui">Falcosidekick UI project on GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Falcosidekick 2.27.0 and Falcosidekick-UI 2.1.0https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-27-0-ui-2-1-0/Tue, 10 Jan 2023 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-27-0-ui-2-1-0/ <p>So many good things happened for Falcosidekick and Falcosidekick UI this year. It's still incredible these projects became so beloved and useful for the community. To all contributors, promotors and users, a big big thank you.</p> <p>The new year is there, it's time to release new versions and reach 10 million Docker pulls for Falcosidekick.</p> <p><img src="images/falcosidekick-docker-pulls.png" alt="" loading="lazy" /> </p> <h2 id="falcosidekick-v2-27-0">Falcosidekick v2.27.0</h2> <p>What a huge release! Never has a previous release gotten so many new features and outputs. You can read the full changelog <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.27.0">here</a>.</p> <h3 id="new-outputs">New outputs</h3> <p>This release brings a lot of new outputs thanks to our amazing contributors. <a href="https://github.com/falcosecurity/falcosidekick/graphs/contributors">Here</a> you have a list of them.</p> <h5 id="yandex-data-stream">Yandex Data Stream</h5> <p><a href="https://yandex.com">Yandex</a> is a Russian cloud provider that provides various services such as <a href="https://cloud.yandex.com/en/docs/data-streams/">Data Streams</a>. With this new output, we can connect Falco to one more cloud providers. Thank you, <a href="https://github.com/preved911">preved911</a>.</p> <h5 id="mqtt-and-node-red">MQTT and Node-Red</h5> <p>IoT is a whole new world for Falco. With these 2 new outputs, Falco can make its first steps in this ecosystem and we are sure more will come in 2023. Stay tuned.</p> <p><img src="images/falcosidekick-node-red.png" alt="" loading="lazy" /> </p> <h5 id="zincsearch">Zincsearch</h5> <p>Do you want a full-text indexer lighter than Elasticsearch? Take a look at <a href="https://zincsearch.com/">Zincsearch</a>.</p> <p><img src="images/falcosidekick-zincsearch.png" alt="" loading="lazy" /> </p> <h5 id="gotify">Gotify</h5> <p>By using <a href="https://gotify.net">Gotify</a> and the new dedicated output, you can now push Falco events to your Android phone.</p> <p><img src="images/falcosidekick-gotify.jpg" alt="" loading="lazy" /> </p> <h5 id="spyderbat">Spyderbat</h5> <p>Are you a user of <a href="https://www.spyderbat.com">Spyderbat</a> and want to extend its sources of events? Now you can thank <a href="https://github.com/spyder-kyle">spyder-kyle</a>.</p> <h5 id="tekton">Tekton</h5> <p>Do you remember the blog post <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/"><em>how to create a Response Engine for Falco</em></a> with <a href="https://tekton.dev/">Tekton</a>? The proposed solution used the generic Webhook output. From now on, Tekton can use a dedicated one.</p> <h5 id="timescaledb">TimescaleDB</h5> <p><a href="https://github.com/timescale/timescaledb">TimescaleDB</a> is an OSS database made for time-series data, thanks to <a href="https://github.com/jagretti">jagretti</a> Falcosidekick can insert into it the Falco events.</p> <h5 id="aws-security-lake">AWS Security Lake</h5> <p>At re:Invent 2023, AWS announced a new data lake made for security data: AWS Security Lake. We worked with AWS teams to have Falco as a source partner from day one, making it the first OSS project that can be used with that service and strengthening once more the integration with the AWS ecosystem.</p> <h3 id="new-features">New features</h3> <p>The list of new outputs is already quite long, but the list of enhancements is even longer. The full list is <a href="https://github.com/falcosecurity/falcosidekick/blob/master/CHANGELOG.md">here</a>, but let's have a look at the major changes.</p> <h5 id="sasl-auth-mechanisms-for-smtp-and-kafka-outputs">SASL auth mechanisms for SMTP and Kafka outputs</h5> <p>Improving security is our duty to all, and one key element is the authentication method. Thanks to <a href="https://github.com/Lowaiz">Lowaiz</a>, both SMTP and Kafka outputs can now use the benefits of SASL Auth mechanisms.</p> <h5 id="environment-variables-for-custom-labels-and-templated-labels">Environment variables for custom labels and templated labels</h5> <p>The ability to inject custom fields in the payloads is an important feature of Falcosidekick. The only drawback was these fields were previously static. That limitation is over. Now, you can use environment variables in your custom fields. A new kind of custom fields has become available: `templated fields.' They allow the reuse of the present fields to generate new ones following with <a href="https://pkg.go.dev/text/template">Go template</a>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">templatedfields</span>:<span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># templated fields are added to falco events and metrics, it uses Go template + output_fields values</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">Dkey</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#39;{{ or (index . &#34;k8s.ns.labels.foo&#34;) &#34;bar&#34; }}&#39;</span><span style="color:#bbb"> </span></span></span></code></pre></div><h5 id="hostname-field">Hostname field</h5> <p>Since Falco 0.33, a new field is present in Falco events: <code>hostname</code>. Falcosidekick and all its current outputs are up to date and ready for it. Once again, thanks to <a href="https://github.com/Lowaiz">Lowaiz</a>.</p> <h5 id="loki-format-and-grafana-cloud">Loki format and Grafana Cloud</h5> <p>The Loki format has been upgraded and credentials can be set. It allows you to use <a href="https://grafana.com/products/cloud/">Grafana Cloud</a> as a target.</p> <h5 id="k8s-policy-reports-are-binded-to-the-namespaces">K8S Policy Reports are binded to the namespaces</h5> <p>Policy Reports in K8S are still prototypes but Falcosidekick is already able to create them. Some improvements have been made to determine the target resource and the report is now created in the same namespace as the source pod.</p> <h5 id="more-headers-in-smtp-payload">More headers in SMTP payload</h5> <p>To avoid being flagged as spam by some anti-spam systems, some headers like <code>From</code>, <code>To</code> and <code>Date</code> have been added to the emails created by Falcosidekick.</p> <h5 id="cef-format-syslog">CEF format Syslog</h5> <p>For the Syslog output, you can choose between <code>json</code> and <code>CEF</code> as formats. It makes easier the integration with some services like <a href="https://azure.microsoft.com/en-us/products/microsoft-sentinel/#overview">Microsoft Sentinel</a> or <a href="https://www.splunk.com/">Splunk</a>.</p> <h3 id="fixes">Fixes</h3> <p>Even if we do our best to avoid them, the community has lately faced some bugs that we have fixed in this release.</p> <p>The most important one was a race condition when headers were added to the POST requests. Adopters with high rates of requests were occasionally facing authentication failures or missing headers. <a href="https://github.com/bc-sb">bc-sb</a> solved this with a temporary solution, but we'll improve it in the future (Falcosidekick v3? Who knows...).</p> <h2 id="falcosidekick-ui-v2-1-0">Falcosidekick UI v2.1.0</h2> <p>The new features for Falcosidekick UI, although lower in number, are still big improvements. The full changelog is <a href="https://github.com/falcosecurity/falcosidekick-ui/releases/tag/v2.1.0">here</a>.</p> <h3 id="env-vars-for-settings">Env vars for settings</h3> <p>All settings to configure Falcosidekick UI can be passed as either CLI arguments or as env vars. Run <code>falcosidekick-ui --help</code> for more details.</p> <h3 id="new-logs">New logs</h3> <p>The logs were too verbose for production contexts. Now it's configurable via a log-level option:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>-l string </span></span><span style="display:flex;"><span> Log level: <span style="color:#b44">&#34;debug&#34;</span>, <span style="color:#b44">&#34;info&#34;</span>, <span style="color:#b44">&#34;warning&#34;</span>, <span style="color:#b44">&#34;error&#34;</span> <span style="color:#666">(</span>default <span style="color:#b44">&#34;info&#34;</span>, environment <span style="color:#b44">&#34;FALCOSIDEKICK_UI_LOGLEVEL&#34;</span><span style="color:#666">)</span> </span></span></code></pre></div><h3 id="auto-refresh">Auto refresh</h3> <p>Long-term adopters may remember the dashboard in Falcosidekick UI v1 was auto-refreshed. This feature is back, for all widgets, independently of the page.</p> <p><img src="images/falcosidekick-ui-autorefresh.png" alt="" loading="lazy" /> </p> <h3 id="authentication">Authentication</h3> <p>This is a major new feature. The interface is now protected by the Basic Auth method. More methods will be added in the future:</p> <p><img src="images/falcosidekick-ui-login.png" alt="" loading="lazy" /> </p> <p>Set the <code>FALCOSIDEKICK_UI_USER</code> env var to define the credentials.</p> <h3 id="info-page">Info page</h3> <p>The info page has been rewritten for a nicer look &amp; feel.</p> <p><img src="images/falcosidekick-ui-info.png" alt="" loading="lazy" /> </p> <h3 id="hostname">Hostname</h3> <p>As for Falcosidekick, Falcosidekick UI supports the display of the new <code>hostname</code> field.</p> <p><img src="images/falcosidekick-ui-hostnames.png" alt="" loading="lazy" /> </p> <h3 id="ttl-for-keys">TTL for keys</h3> <p>Falcosidekick UI can store a huge amount of events, leading to filling the disk of the Redis database. A <code>TTL</code> for the entries can be set to avoid this situation.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>-t int </span></span><span style="display:flex;"><span> TTL <span style="color:#a2f;font-weight:bold">for</span> keys <span style="color:#666">(</span>default <span style="color:#b44">&#34;0&#34;</span>, environment <span style="color:#b44">&#34;FALCOSIDEKICK_UI_TTL&#34;</span><span style="color:#666">)</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>The respective Helm charts are already updated to allow you to test on your own all these great new features. Run a <code>helm upgrade --reuse-values -n falco</code> to do so.</p> <p>Once again, thanks to all adopters and contributors who helped and contributed for years to create pieces of software useful to everybody. We hope 2023 will be amazing for Falco and its ecosystem.</p> <hr> <p>As usual, if you have any feedback or need help, you can find us at any of the following locations.</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a></li> <li>Check out the <a href="https://github.com/falcosecurity/falcosidekick">Falcosidekick project on GitHub</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falcosidekick-ui">Falcosidekick UI project on GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Falcosidekick 2.25.0 and Falcosidekick 2.0.0https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-25-0-falco-2-0-0/Wed, 01 Jun 2022 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2-25-0-falco-2-0-0/ <p>A few days ago was the KubeCon EU in Valencia, Spain. The moment to meet contributors who made what Falcosidekick is now was a really enjoyable time and I hope we'll do it again in the future. One week before, two new major versions of Falcosidekick and Falcosidekick-Ui were released. Let's see what's new.</p> <h1 id="falcosidekick">Falcosidekick</h1> <p>Almost 10 months without a new release for Falcosidekick, the version <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.25.0">2.25.0</a>, and what a huge release is. For curious people, the full changelog can be found <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.25.0">here</a>.</p> <h2 id="new-outputs">New outputs</h2> <p>Each new release brings more outputs, thanks to the community. Here's the list of new ones:</p> <h3 id="policy-report">Policy Report</h3> <p>With some CRD, you can now create reports in your Kubernetes clusters, the feature is often used for Security or Compliance, but anything is technically possible. For more details about how to use this output, read the documentation from <a href="https://github.com/anushkamittal20">@anushkamittal20</a> who implemented it for her project for <a href="https://lfxms22.sched.com/event/tRXy/understanding-falco-and-policy-report-output-for-falcosidekick-anushka-mittal-nirmata-india">Linux Foundation Mentorship Program</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>wgpolicyk8s.io/v1alpha2<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterPolicyReport<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">creationTimestamp</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;2022-05-23T13:57:40Z&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">generation</span>:<span style="color:#bbb"> </span><span style="color:#666">110</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-cluster-policy-report-4c9eac68<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resourceVersion</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;71090&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">uid</span>:<span style="color:#bbb"> </span>ed8f0659-74d5-488c-90f8-d7b0622738cf<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">results</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">category</span>:<span style="color:#bbb"> </span>SI - System and Information Integrity<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">message</span>:<span style="color:#bbb"> </span>Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">policy</span>:<span style="color:#bbb"> </span>Attach to cluster-admin Role<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">properties</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">ka.req.binding</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#39;%ka.req.binding&#39;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">ka.user.name</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#39;%ka.user.name&#39;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">result</span>:<span style="color:#bbb"> </span>fail<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">severity</span>:<span style="color:#bbb"> </span>high<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">source</span>:<span style="color:#bbb"> </span>Falco<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">timestamp</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">nanos</span>:<span style="color:#bbb"> </span><span style="color:#666">98821031</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">seconds</span>:<span style="color:#bbb"> </span><span style="color:#666">40</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">category</span>:<span style="color:#bbb"> </span>SI - System and Information Integrity<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">message</span>:<span style="color:#bbb"> </span>Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>rules=%ka.req.role.rules)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">policy</span>:<span style="color:#bbb"> </span>ClusterRole With Write Privileges Created<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">properties</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">ka.req.role</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#39;%ka.req.role&#39;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">ka.target.name</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#39;%ka.target.name&#39;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">ka.user.name</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#39;%ka.user.name&#39;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">result</span>:<span style="color:#bbb"> </span>fail<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">severity</span>:<span style="color:#bbb"> </span>high<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">source</span>:<span style="color:#bbb"> </span>Falco<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">timestamp</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">nanos</span>:<span style="color:#bbb"> </span><span style="color:#666">103148849</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">seconds</span>:<span style="color:#bbb"> </span><span style="color:#666">42</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>The reports can also be displayed with <a href="https://github.com/kyverno/policy-reporter-ui">Policy Reporter UI</a>, created by <a href="https://github.com/fjogeleit">@fjogeleit</a> another member of the Falco community.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/falcosidekick-2-25-0-policy-reporter-ui.png" alt="policy-reporter-ui" loading="lazy" /> </p> <h3 id="syslog">Syslog</h3> <p>Years after its creation, Syslog remains a solid solution for managing the log files, especially if you're running Falcosidekick or else directly at the host level. With this new version, a Syslog server can be directly used as the target for the events, allowing you to send them in a secure place. Thanks to <a href="https://github.com/bdluca">@bdluca</a>.</p> <h3 id="aws-kinesis">AWS Kinesis</h3> <p>Do you want to ingest thousands of events from Falco and be able to run data analysis on them? You can do so smoothly with the new AWS Kinesis output, bringing a new integration of Falco with AWS Ecosystem. We would be delighted to know any use case with analytics the community could create now. Thanks to <a href="https://github.com/gauravgahlot">@gauravgahlot</a>.</p> <h3 id="zoho-cliq">Zoho Cliq</h3> <p>Your DevOps/SRE/SecOps team uses <a href="https://www.zoho.com/cliq/">Zoho Cliq</a> for their communication? Allow them to receive nice notifications with this new output for Falcosidekick. Thanks to <a href="https://github.com/averni">@averni</a>.</p> <h2 id="enhancements">Enhancements</h2> <p>Getting new features is nice, but we can also improve the existing ones, here's a list of major changes of this 2.25.0 release.</p> <h3 id="compiled-ans-signed-binaries">Compiled ans signed binaries</h3> <p>Until then, if you wanted binaries of Falcosidekick, you had to build them by yourself or use the provided Docker image. Now, each release will contain the compiled binaries for amd64 and arm64. The security is not forgotten, all artifacts are signed with <a href="https://docs.sigstore.dev/cosign/overview/">Cosign</a>.</p> <h3 id="tags-and-source">Tags and Source</h3> <p>In January, <a href="https://falco.org/blog/falco-0-31-0/">Falco 0.31.0</a> brought its new Plugin system, the <code>source</code> field of events becoming more important. This new release of Falcosidekick updates all the outputs to deal with <code>source</code> and <code>tags</code> events. Your Response Engines can now be much clever than even.</p> <h3 id="irsa">IRSA</h3> <p>IRSA, aka Iam Role for Service Accounts, is the method provided by AWS for linking a Kubernetes Service Account with an IAM Role, allowing the Pod to easily use a Service. Falcosidekick is now able to use this mechanism for its outputs for AWS Services, no need to add Access and Secret Keys in your <code>values.yaml</code>. The UX is much better. Thanks to <a href="https://github.com/VariableExp0rt">@VariableExp0rt</a>.</p> <h1 id="falcosidekick-ui">Falcosidekick UI</h1> <p>I created the first version v0 of Falcosidekick-UI to have something more graphical for my talks, with the help of <a href="https://github.com/fjogeleit">@fjogeleit</a> we created a nice v1 that has been finally used more and more by people, becoming a famous product in the community. It was time to have a better version with some requested features:</p> <ul> <li>a database (Redis) for a long term storage of events</li> <li>an API for counting or searching the events</li> <li>filters are kept as query strings, allowing to share links</li> </ul> <p>All details to use this new version, v2.0.0, are described in the <a href="https://github.com/falcosecurity/falcosidekick-ui">README</a>.</p> <p>Here's some screenshots:</p> <p><img src="https://github.com/falcosecurity/falcosidekick-ui/raw/master/imgs/webui_01.png" alt="https://github.com/falcosecurity/falcosidekick-ui/raw/master/imgs/webui_01.png" loading="lazy" /> <img src="https://github.com/falcosecurity/falcosidekick-ui/raw/master/imgs/webui_02.png" alt="https://github.com/falcosecurity/falcosidekick-ui/raw/master/imgs/webui_02.png" loading="lazy" /> <img src="https://github.com/falcosecurity/falcosidekick-ui/raw/master/imgs/webui_04.png" alt="https://github.com/falcosecurity/falcosidekick-ui/raw/master/imgs/webui_04.png" loading="lazy" /> </p> <h1 id="deployments">Deployments</h1> <p>The Helm charts are already up to date, you can upgrade your deployments with:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>helm upgrade falcosidekick falcosecurity/falcosidekick --set webui.enabled=true -n falco<span style="color:#bbb"> </span></span></span></code></pre></div><p>or</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>helm upgrade falco falcosecurity/falco \<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>--set falcosidekick.enabled=true \<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>--set falcosdekick.webui.enabled=true -n falco<span style="color:#bbb"> </span></span></span></code></pre></div><p><em>Enjoy</em></p> <hr> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 9: Falcosidekick + Fissionhttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-9-fission/Wed, 01 Sep 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-9-fission/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7 : Falcosidekick + Cloud Functions</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/">Kubernetes Response Engine, Part 8: Falcosidekick + Flux v2</a></li> </ul> </blockquote> <hr> <p>The earlier posts in this series, show how to use Kubeless, Argo, Knative, and others to trigger a resource after getting input from Falcosidekick. Recently, Falcosidekick received a new output type support for <a href="https://github.com/falcosecurity/falcosidekick/pull/255">Fission</a>.</p> <p>In this blog post, we will cover using <code>Falcosidekick</code> and <code>Fission</code> to detect and delete a compromised pod in a Kubernetes cluster. We will briefly talk about Fission in this blog, however, you can check the complete documentation <a href="https://fission.io/">here</a>.</p> <h2 id="prerequisites">Prerequisites</h2> <p>We need tools with the following minimum versions to achieve this demo:</p> <ul> <li>Minikube v1.19.0</li> <li>Helm v3.5.4</li> <li>kubectl v1.21.0</li> <li>fission-cli v1.13.1</li> </ul> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <p>There are various ways to provision a local Kubernetes cluster such as, KinD, k3s, k0s, Minikube, etc. We are going to use Minikube in this walkthrough.</p> <p>Let's get provisioned a local Kubernetes cluster:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ minikube start --cpus <span style="color:#666">3</span> --memory <span style="color:#666">8192</span> --vm-driver virtualbox </span></span><span style="display:flex;"><span>😄 minikube v1.19.0 on Darwin 10.15.7 </span></span><span style="display:flex;"><span>✨ Using the virtualbox driver based on user configuration </span></span><span style="display:flex;"><span>👍 Starting control plane node minikube in cluster minikube </span></span><span style="display:flex;"><span>🔥 Creating virtualbox VM <span style="color:#666">(</span><span style="color:#b8860b">CPUs</span><span style="color:#666">=</span>3, <span style="color:#b8860b">Memory</span><span style="color:#666">=</span>8192MB, <span style="color:#b8860b">Disk</span><span style="color:#666">=</span>20000MB<span style="color:#666">)</span> ... </span></span><span style="display:flex;"><span>🐳 Preparing Kubernetes v1.20.2 on Docker 20.10.4 ... </span></span><span style="display:flex;"><span> ▪ Generating certificates and keys ... </span></span><span style="display:flex;"><span> ▪ Booting up control plane ... </span></span><span style="display:flex;"><span> ▪ Configuring RBAC rules ... </span></span><span style="display:flex;"><span>🔎 Verifying Kubernetes components... </span></span><span style="display:flex;"><span> ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5 </span></span><span style="display:flex;"><span>🌟 Enabled addons: storage-provisioner, default-storageclass </span></span><span style="display:flex;"><span>🏄 Done! kubectl is now configured to use <span style="color:#b44">&#34;minikube&#34;</span> cluster and <span style="color:#b44">&#34;default&#34;</span> namespace by default </span></span></code></pre></div><h2 id="install-fission">Install Fission</h2> <p>Fission is a fast, open source serverless framework for Kubernetes with a focus on developer productivity and high performance. Fission operates on just the code: Docker and Kubernetes are abstracted away under normal operation, though you can use both to extend Fission if you want to.</p> <p>Follow the official documentation for <a href="https://docs.fission.io/docs/installation/">deploying Fission to Kubernetes</a>.</p> <p>Here we will be using Helm to install Fission:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#a2f">export</span> <span style="color:#b8860b">FISSION_NAMESPACE</span><span style="color:#666">=</span><span style="color:#b44">&#34;fission&#34;</span> </span></span><span style="display:flex;"><span>$ kubectl create namespace <span style="color:#b8860b">$FISSION_NAMESPACE</span> </span></span><span style="display:flex;"><span>$ kubectl create -k <span style="color:#b44">&#34;github.com/fission/fission/crds/v1?ref=1.13.1&#34;</span> </span></span><span style="display:flex;"><span>$ helm repo add fission-charts https://fission.github.io/fission-charts/ </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>$ helm install --version 1.13.1 --namespace <span style="color:#b8860b">$FISSION_NAMESPACE</span> fission fission-charts/fission-all </span></span><span style="display:flex;"><span>NAME: fission </span></span><span style="display:flex;"><span>LAST DEPLOYED: Wed Jul <span style="color:#666">21</span> 18:03:44 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: fission </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>1. Install the client CLI. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Mac: </span></span><span style="display:flex;"><span> $ curl -Lo fission https://github.com/fission/fission/releases/download/1.13.1/fission-1.13.1-darwin-amd64 <span style="color:#666">&amp;&amp;</span> chmod +x fission <span style="color:#666">&amp;&amp;</span> sudo mv fission /usr/local/bin/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Linux: </span></span><span style="display:flex;"><span> $ curl -Lo fission https://github.com/fission/fission/releases/download/1.13.1/fission-1.13.1-linux-amd64 <span style="color:#666">&amp;&amp;</span> chmod +x fission <span style="color:#666">&amp;&amp;</span> sudo mv fission /usr/local/bin/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Windows: </span></span><span style="display:flex;"><span> For Windows, you can use the linux binary on WSL. Or you can download this windows executable: https://github.com/fission/fission/releases/download/1.13.1/fission-1.13.1-windows-amd64.exe </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>2. You<span style="">&#39;</span>re ready to use Fission! </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Create an environment</span> </span></span><span style="display:flex;"><span> $ fission env create --name nodejs --image fission/node-env </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Get a hello world</span> </span></span><span style="display:flex;"><span> $ curl https://raw.githubusercontent.com/fission/examples/master/nodejs/hello.js &gt; hello.js </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Register this function with Fission</span> </span></span><span style="display:flex;"><span> $ fission <span style="color:#a2f;font-weight:bold">function</span> create --name hello --env nodejs --code hello.js </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Run this function</span> </span></span><span style="display:flex;"><span> $ fission <span style="color:#a2f;font-weight:bold">function</span> <span style="color:#a2f">test</span> --name hello </span></span><span style="display:flex;"><span> Hello, world! </span></span></code></pre></div><p>Check if everything is working before moving onto the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace fission </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>buildermgr-5698c89fff-rk9z6 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>controller-5dcb44bcd6-vq9hb 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>executor-6b6d6469d6-2xrlk 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-kube-state-metrics-5fc9bd6684-7ffwp 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-alertmanager-65f5574885-tlrz6 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-node-exporter-jd9w6 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-node-exporter-jpzn8 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-node-exporter-rb25l 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-pushgateway-54c87b5796-28x2h 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-server-9d64c74b4-ld97h 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>influxdb-59649c8c6-5vx54 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>kubewatcher-6996fccc6b-5vbvx 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>logger-6kdw4 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>logger-nmw9t 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>logger-zkrq9 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>mqtrigger-keda-7584989c48-n5w6g 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>mqtrigger-nats-streaming-664c55c979-t9gp5 1/1 Running <span style="color:#666">0</span> 7m19s </span></span><span style="display:flex;"><span>nats-streaming-6c6d7c6fbf-ft468 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>router-5c5c6cbb87-989pc 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>storagesvc-57ccf58976-qcr4d 1/1 Running <span style="color:#666">0</span> 7m19s </span></span><span style="display:flex;"><span>timer-794b89579b-6kxwx 1/1 Running <span style="color:#666">0</span> 7m20s </span></span></code></pre></div><h2 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h2> <p>Firstly, we'll create the namespace that will host both <code>Falco</code> and <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl create namespace falco </span></span></code></pre></div><p>We add the <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span><span style="color:#b44">&#34;falcosecurity&#34;</span> has been added to your repositories </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>Hang tight <span style="color:#a2f;font-weight:bold">while</span> we grab the latest from your chart repositories... </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;falcosecurity&#34;</span> chart repository </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;openfaas&#34;</span> chart repository </span></span><span style="display:flex;"><span>Update Complete. ⎈Happy Helming!⎈ </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, will try to keep thing as easy as possible and set configs directly by passing arguments to <code>helm install</code> command line:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm upgrade --install falco falcosecurity/falco --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.fission.function<span style="color:#666">=</span><span style="color:#b44">&#34;falco-pod-delete&#34;</span> </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>Release <span style="color:#b44">&#34;falco&#34;</span> does not exist. Installing it now. </span></span><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Tue Apr <span style="color:#666">13</span> 10:49:49 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code> and <code>Falcosidekick</code>pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-falcosidekick-f77c58899-gd467 1/1 Running <span style="color:#666">0</span> 51s </span></span><span style="display:flex;"><span>falco-falcosidekick-f77c58899-hfsjx 1/1 Running <span style="color:#666">0</span> 51s </span></span><span style="display:flex;"><span>falco-hg2wm 1/1 Running <span style="color:#666">0</span> 51s </span></span></code></pre></div><p>The argument <code>falcosidekick.enabled=true</code> sets the following settings in <em>Falco</em> for you:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>--set falco.jsonOutput<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.url<span style="color:#666">=</span>http://falco-falcosidekick:2801 </span></span></code></pre></div><p>The arguments <code>--set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falco-falcosidekick:2801</code> are there to configure the format of events and the URL where <code>Falco</code> will send them. As <code>Falco</code> and <code>Falcosidekick</code> will be in the same namespace, it can directly use the name of the service (<code>falco-falcosidekick</code>) above <code>Falcosidekick</code> pods.</p> <p>We check the logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick -n falco </span></span><span style="display:flex;"><span>Found <span style="color:#666">2</span> pods, using pod/falco-falcosidekick-f77c58899-gd467 </span></span><span style="display:flex;"><span>2021/07/21 12:52:02 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : <span style="color:#666">[</span>Fission<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>2021/07/21 12:52:02 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on :2801 </span></span></code></pre></div><p><code>Fission</code> is displayed as enabled output, everything is good 👍.</p> <h2 id="install-our-fission-function">Install our Fission Function</h2> <p>Our really basic function will receive events from <code>Falco</code>, thanks to <code>Falcosidekick</code>, check if the triggered rule is <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">Terminal Shell in container</a>, extract the <em>namespace</em> and <em>pod name</em> from the fields of events and delete the according pod:</p> <p>Basically, the process is:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> +----------+ +---------------+ +----------+ </span></span><span style="display:flex;"><span> | Falco +-----------------&gt; Falcosidekick +--------------------&gt; Fission | </span></span><span style="display:flex;"><span> +----^-----+ sends event +---------------+ triggers +-----+----+ </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span>detects a shell | | </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span> +----+-------+ deletes | </span></span><span style="display:flex;"><span> | Pwned Pod &lt;----------------------------------------------------------+ </span></span><span style="display:flex;"><span> +------------+ </span></span></code></pre></div><p>Let's get the function and other artifacts:</p> <pre tabindex="0"><code>$ git clone https://github.com/fission/examples.git &amp;&amp; cd examples/sample/falco </code></pre><p>The function we are going to deploy basically receives events for an infected pod from the <em>Falcosidekick</em> and deletes it immediately. Before deploying the function we need some permissions to delete Pod. We create a <code>ServiceAccount</code> with rights to delete a Pod in any namespace, and we'll associate it to our function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ServiceAccount<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">namespace</span>:<span style="color:#bbb"> </span>fission-function<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">---</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterRole<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>rbac.authorization.k8s.io/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete-cluster-role<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">rules</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;configmaps&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;secrets&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;get&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;pods&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;get&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;list&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;delete&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;events&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;*&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;fission.io&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;packages&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;get&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;list&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">---</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterRoleBinding<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>rbac.authorization.k8s.io/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete-cluster-role-binding<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">roleRef</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterRole<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete-cluster-role<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">apiGroup</span>:<span style="color:#bbb"> </span>rbac.authorization.k8s.io<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">subjects</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ServiceAccount<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">namespace</span>:<span style="color:#bbb"> </span>fission-function<span style="color:#bbb"> </span></span></span></code></pre></div><p>Let's create the service account with:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>$ kubectl apply -f sa-falco-pod-delete.yaml </span></span></code></pre></div><p>The <code>falco-pod-delete/handler.go</code> contains our function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-golang" data-lang="golang"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>main<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;io/ioutil&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;log&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;net/http&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/rest&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>kubeClient<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">init</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the in-cluster config</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>config,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>rest.<span style="color:#00a000">InClusterConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the clientset</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(config)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>[]<span style="color:#0b0;font-weight:bold">string</span>{<span style="color:#b44">&#34;kube-system&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-public&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-node-lease&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;falco&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;fission&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;fission-function&#34;</span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">Handler</span>(w<span style="color:#bbb"> </span>http.ResponseWriter,<span style="color:#bbb"> </span>r<span style="color:#bbb"> </span><span style="color:#666">*</span>http.Request)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>alert<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>r.Body<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">defer</span><span style="color:#bbb"> </span>r.Body.<span style="color:#00a000">Close</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>body,<span style="color:#bbb"> </span>_<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>ioutil.<span style="color:#00a000">ReadAll</span>(r.Body)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(body,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>alert)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;\n[ INFO ] Alert : %v\n&#34;</span>,<span style="color:#bbb"> </span>alert)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>podName<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SPodName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SNsName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">bool</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">for</span><span style="color:#bbb"> </span>_,<span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">range</span><span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">break</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>!critical<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>_,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Get</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.GetOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;\n[ WARN ] Failed to get pod &#39;%s&#39; in &#39;%s&#39; namespace&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Deleting pod %s from namespace %s&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;\n[ ERROR ] Failed to delete pod: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusInternalServerError)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">Write</span>([]<span style="color:#a2f">byte</span>(err.<span style="color:#00a000">Error</span>()))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusOK)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">Write</span>([]<span style="color:#a2f">byte</span>(<span style="color:#b44">&#34;OK&#34;</span>))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>A fission function requires an environment/runtime to run. The <code>yaml</code> definitions for the runtime, the function and the router are available under the <code>specs</code> directory.</p> <p>Now, we are ready to deploy our <em>falco-pod-delete</em> function using the specs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ fission spec apply </span></span><span style="display:flex;"><span>DeployUID: edc80e3e-7d1e-448c-aba8-c8cd75b3a1eb </span></span><span style="display:flex;"><span>Resources: </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Functions </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Environments </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Packages </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Http Triggers </span></span><span style="display:flex;"><span> * <span style="color:#666">0</span> MessageQueue Triggers </span></span><span style="display:flex;"><span> * <span style="color:#666">0</span> Time Triggers </span></span><span style="display:flex;"><span> * <span style="color:#666">0</span> Kube Watchers </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> ArchiveUploadSpec </span></span><span style="display:flex;"><span>Validation Successful </span></span><span style="display:flex;"><span>Spec doesn<span style="">&#39;</span>t belong to Git Tree. </span></span><span style="display:flex;"><span><span style="color:#666">1</span> <span style="color:#a2f;font-weight:bold">function</span> created: falco-pod-delete </span></span><span style="display:flex;"><span><span style="color:#666">1</span> HTTPTrigger created: falco-pod-delete </span></span><span style="display:flex;"><span><span style="color:#666">1</span> environment created: go </span></span><span style="display:flex;"><span><span style="color:#666">1</span> package created: falco-pod-delete-d18f6a0b-e5a1-4275-9471-38d684ac4dfe </span></span></code></pre></div><p>Check if the package was built successfully for our fission function before moving to the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ fission pkg list </span></span><span style="display:flex;"><span>NAME BUILD_STATUS ENV LASTUPDATEDAT </span></span><span style="display:flex;"><span>falco-pod-delete-d18f6a0b-e5a1-4275-9471-38d684ac4dfe succeeded go <span style="color:#666">21</span> Jul <span style="color:#666">21</span> 08:26 IST </span></span></code></pre></div><h2 id="test-our-function">Test our function</h2> <p>We start by creating a dumb pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>AME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 11s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>19:27:21 up <span style="color:#666">50</span> min, load average: 0.11, 0.12, 0.11 </span></span></code></pre></div><p>As expected we got the result of our command, but, if we get the status of the pod we retrieve:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>💥 <strong>It has been terminated</strong> 💥</p> <p>We can now check the logs of components.</p> <p>For <code>Falco</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs daemonset/falco --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;10:36:32.750441241: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=cbd3133ccac6 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=cbd3133ccac6 image=alpine) k8s.ns=default k8s.pod=alpine container=cbd3133ccac6&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-07-21T10:36:32.750441241Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;cbd3133ccac6&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1626863792750441241,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;10:37:09.101509967: Notice Unexpected connection to K8s API Server from container (command=fetcher -secret-dir /secrets -cfgmap-dir /configs -jaeger-collector-endpoint /userfunc k8s.ns=fission-function k8s.pod=poolmgr-go-default-516098-5bdbf8c8f5-g8gvc container=281c99ea33c2 image=fission/fetcher:1.13.1 connection=192.168.43.223:39526-&gt;10.100.0.1:443) k8s.ns=fission-function k8s.pod=poolmgr-go-default-516098-5bdbf8c8f5-g8gvc container=281c99ea33c2&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Contact K8S API Server From Container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-07-21T10:37:09.101509967Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;281c99ea33c2&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;fission/fetcher&#34;</span>,<span style="color:#b44">&#34;container.image.tag&#34;</span>:<span style="color:#b44">&#34;1.13.1&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1626863829101509967,<span style="color:#b44">&#34;fd.name&#34;</span>:<span style="color:#b44">&#34;192.168.43.223:39526-&gt;10.100.0.1:443&#34;</span>,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;fission-function&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;poolmgr-go-default-516098-5bdbf8c8f5-g8gvc&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;fetcher -secret-dir /secrets -cfgmap-dir /configs -jaeger-collector-endpoint /userfunc&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span>2021/07/21 10:37:13 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Fission - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/07/21 10:36:32 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Fission - Function Response : OK </span></span><span style="display:flex;"><span>2021/07/21 10:36:32 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Fission - Call Function <span style="color:#b44">&#34;falco-pod-delete&#34;</span> OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><p>For <em>falco-delete-pod</em> function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ fission <span style="color:#a2f;font-weight:bold">function</span> logs -f --name falco-pod-delete </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>2021-07-21 10:47:27.206605532 +0000 UTC<span style="color:#666">]</span> 2021/07/21 10:47:27 Deleting pod alpine from namespace default </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>With this really simple example, we got another way to create a Response Engine with amazing pieces of software from the Open Source world. We only scratched the surface of possibilities, so don't hesitate to share with us your comments, ideas and successes.</p> <hr> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 8: Falcosidekick + Flux v2https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/Tue, 31 Aug 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7 : Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>Today, we will set up another KRE (Kubernetes Response Engine) based on <code>Flux (version 2)</code>. If you don't know about <code>Flux (version 2)</code>, let me explain it in a few words. <code>Flux (version 2)</code> is a tool for keeping Kubernetes clusters in sync with configuration sources (such as Git repositories) and automating updates to the configuration when new code is available to deploy.</p> <p>To learn more about <code>Flux (version 2)</code>, see <a href="https://fluxcd.io/docs/">Flux Documentation</a>.</p> <p><code>Flux (version 2)</code> might look like a GitOps tool. It is, in reality, another GitOps tool in that it watches Github repositories for configuration changes and keeps the current state and the desired state always in sync. It does that on top of Kubernetes by using a bunch of CRs (Custom Resources). However, unlike Knative Eventing, Tekton Triggers, and Argo Events, <code>Flux (version 2)</code> does not support an eventing system to forward events from one point to another.</p> <p>To set up KRE with <code>Flux (version 2)</code>, we will create a small project that listens to events and updates the GitHub repository, which <code>Flux (version 2)</code> monitors to alter the desired state. For example, get the event of a pwned pod, then change its replicas to zero within the deployment YAML file.</p> <p>The reference architecture given below illustrates the content of this blog.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/kre_flux_v2_gitops_toolkit.png" alt="kre_flux_v2_gitops_toolkit" loading="lazy" /> </p> <!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> <p><strong>Table of Contents</strong></p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#prerequisites">Prerequisites</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#tutorial">Tutorial</a> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#install-flux-v2---gitops-toolkit">Install Flux V2 - GitOps Toolkit</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#install-falco-event-listener">Install falco-event-listener</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#installing-falco-and-falcosidekick">Installing Falco and Falcosidekick</a></li> </ul> </li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#test">Test</a></li> </ul> <!-- END doctoc generated TOC please keep comment here to allow auto update --> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>minikube v1.21.0</li> <li>helm v3.6.2+gee407bd</li> <li>kubectl v1.21.1</li> <li>ko v0.8.3</li> <li>flux v0.16.0</li> <li>gcloud v347.0.0</li> </ul> <h2 id="tutorial">Tutorial</h2> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ minikube config view </span></span><span style="display:flex;"><span>- cpus: <span style="color:#666">3</span> </span></span><span style="display:flex;"><span>- driver: virtualbox </span></span><span style="display:flex;"><span>- memory: <span style="color:#666">8192</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>minikube start </span></span></code></pre></div><h3 id="install-flux-v2-gitops-toolkit">Install Flux V2 - GitOps Toolkit</h3> <p>I highly recommended that you check out <a href="https://fluxcd.io/docs/get-started/">getting started</a> page of <code>Flux (version 2)</code>. It gives you detailed installation instructions for <code>Flux (version 2)</code>.</p> <p>For <code>Flux (version 2)</code> to create a GitHub repository for its resources, we must define the token and username information. Then, <code>Flux (version 2)</code> installed in a GitOps way, and <code>Flux (version 2)</code> will push its manifest to the repository.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">GITHUB_USER</span><span style="color:#666">=</span>&lt;username&gt; </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">GITHUB_TOKEN</span><span style="color:#666">=</span>&lt;token&gt; </span></span></code></pre></div><p>Once the necessary environment variables are defined, we can install <code>Flux (version 2)</code>. The following command will create and push its manifests to the repository, then install Flux components.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>flux bootstrap github <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --owner<span style="color:#666">=</span><span style="color:#b8860b">$GITHUB_USER</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --repository<span style="color:#666">=</span>fleet-infra <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --branch<span style="color:#666">=</span>main <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --path<span style="color:#666">=</span>./clusters/my-cluster <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --personal </span></span></code></pre></div><p>After the installation is complete, the next step is creating the alpine <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/alpine-gitsource.yaml">GitRepository</a> and <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/alpine-kustomization.yaml">Kustomization</a> CRD's (Custom Resource Definitions). For more information, see <a href="https://fluxcd.io/docs/components/">components</a>.</p> <p>Apply the CRD files as follows:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl apply -f https://raw.githubusercontent.com/developer-guy/kubernetes-response-engine-based-on-flux-v2-gitops-toolkit/master/alpine-gitsource.yaml </span></span><span style="display:flex;"><span>gitrepository.source.toolkit.fluxcd.io/alpine created </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ kubectl apply -f https://raw.githubusercontent.com/developer-guy/kubernetes-response-engine-based-on-flux-v2-gitops-toolkit/master/alpine-kustomization.yaml </span></span><span style="display:flex;"><span>kustomization.kustomize.toolkit.fluxcd.io/alpine created </span></span></code></pre></div><p>Alternatively, we can use the <a href="https://fluxcd.io/docs/cmd/#installation">Flux CLI</a>.</p> <p>To create <code>GitRepository</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>flux create <span style="color:#a2f">source</span> git alpine <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --url https://github.com/developer-guy/desired-state-repository <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --branch master <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --interval 30s </span></span></code></pre></div><p>To create <code>Kustomization</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>flux create kustomization alpine <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --source alpine <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --path <span style="color:#b44">&#34;./&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --prune <span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --validation client <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --interval 5m </span></span></code></pre></div><h3 id="install-falco-event-listener">Install falco-event-listener</h3> <p>As the name suggests, this program will listen to an event in the form of <code>CloudEvents.</code> This CloudEvents forwarded from Falcosidekick, a simple daemon for enhancing available outputs for Falco. After the successful receipt of the event, <code>falco-event-listener</code> will update the YAML definition to scale its replicas to zero based on the pieces of information given in the event.</p> <p>In most basic form, the architecture of the demo is:</p> <p>Falco w/HTTP --&gt; Falcosidekick w/CloudEvent --&gt; falco-event-listener w/HTTP --&gt; GitHub</p> <p>To learn more about <code>CloudEvents</code>, see <a href="https://cloudevents.io">cloudevents.io</a>.</p> <p>First, let us clone the <code>falco-event-listener</code> repository.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>git clone https://github.com/developer-guy/falco-event-listener </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> falco-event-listener </span></span></code></pre></div><p>Before installing this project, we have to do a couple of things.</p> <ul> <li>We have to <a href="https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token">create a GitHub PAT (Personal Access Token)</a> to be able to update the desired state configurations which are in the GitHub repository after we detect a malicious behavior related to our pod has detected.</li> </ul> <p>As you can see in the above arguments, we should pass <code>GITHUB_TOKEN</code> as an argument to our CLI application. The best option is storing <code>GITHUB_TOKEN</code> in a Kubernetes Secret and <a href="https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables">using Secret as environment variables</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create namespace falco </span></span><span style="display:flex;"><span>kubectl create secret generic github-secret <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --from-literal <span style="color:#b8860b">GITHUB_TOKEN</span><span style="color:#666">=</span><span style="color:#b8860b">$GITHUB_TOKEN</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace falco </span></span></code></pre></div><ul> <li>You might notice that we are using some URLs (--notify-url) within the flags of the project. Let me explain that why we need it a bit. As you might know, we are trying to set up some remediation engine here, so we have to react to those events thrown by the Falcosidekick as soon as possible. We defined an interval while creating a <code>GitRepository,</code> which means that <code>Flux (version 2)</code> will wait at least that long to sync configurations, so we have to notify <code>Flux (version 2)</code> controllers about changes once we edited the desired state by a process whose name is <code>falco-event-listener.</code> To notify the <code>Flux (version 2)</code> controllers about changes in Git or Helm repositories, we can set up webhooks and trigger a cluster reconciliation every time a source changes. For more detail, please <a href="https://fluxcd.io/docs/guides/webhook-receivers/">see</a>.</li> </ul> <p>There are different kinds of webhook receivers in <code>Flux (version 2)</code>, but we'll use the <code>generic</code> one in this guide.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-golang" data-lang="golang"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">const</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GenericReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;generic&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GenericHMACReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;generic-hmac&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GitHubReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;github&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GitLabReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;gitlab&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>BitbucketReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;bitbucket&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>HarborReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;harbor&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>DockerHubReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;dockerhub&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>QuayReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;quay&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GCRReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;gcr&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>NexusReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;nexus&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ACRReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;acr&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span></code></pre></div><p>Let us to create a <code>Receiver</code>, to do that we have to a couple of things again:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">TOKEN</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>head -c <span style="color:#666">12</span> /dev/urandom | sha256sum | cut -d <span style="color:#b44">&#39; &#39;</span> -f1<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">echo</span> <span style="color:#b8860b">$TOKEN</span> </span></span><span style="display:flex;"><span>0babd54d2b64d6d6fcd10a663cb6195773e968ba6642ca8c1a8a54df7b52efd0 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ kubectl -n flux-system create secret generic webhook-token <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--from-literal<span style="color:#666">=</span><span style="color:#b8860b">token</span><span style="color:#666">=</span><span style="color:#b8860b">$TOKEN</span> </span></span><span style="display:flex;"><span>secret/webhook-token created </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ cat <span style="color:#b44">&lt;&lt; EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: notification.toolkit.fluxcd.io/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Receiver </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: generic-receiver </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: flux-system </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> type: generic </span></span></span><span style="display:flex;"><span><span style="color:#b44"> secretRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: webhook-token </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiVersion: source.toolkit.fluxcd.io/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: GitRepository </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: alpine </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: flux-system </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span><span style="display:flex;"><span>receiver.notification.toolkit.fluxcd.io/generic-receiver created </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ cat <span style="color:#b44">&lt;&lt; EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Service </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: receiver </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: flux-system </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> type: ClusterIP </span></span></span><span style="display:flex;"><span><span style="color:#b44"> selector: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> app: notification-controller </span></span></span><span style="display:flex;"><span><span style="color:#b44"> ports: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: http </span></span></span><span style="display:flex;"><span><span style="color:#b44"> port: 80 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> protocol: TCP </span></span></span><span style="display:flex;"><span><span style="color:#b44"> targetPort: 9292 </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>This program is basically a CLI application and it uses the following <a href="https://github.com/developer-guy/falco-event-listener/blob/master/falcoeventlistener.yaml#L12">arguments as</a>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">args</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--owner&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;developer-guy&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># this is the owner of the desired state repository</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--repository&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;desired-state-repository&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># this is the repository which we store desired state configurations</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--file&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;alpine.yaml&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># this is the file that we are going to update</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--github-token&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;$(GITHUB_TOKEN)&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--notify-url&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;http://receiver.flux-system/$(WEBHOOK_URL)&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>Let us run our project on the Kubernetes cluster. To do that, we'll be using the <code>ko tool.</code> <code>ko,</code> created by Google, is a simple, fast container image builder for Go applications. For more information, see the <a href="https://github.com/google/ko">official repository</a> of the project.</p> <p>We'll use <code>Container Registry</code> as an image repository service provided by the Google Cloud to store, manage, and secure our container images. Alternatively, we could also use <code>DockerHub,</code> <code>quay.io,</code> and so on.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">WEBHOOK_URL</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get receivers -n flux-system generic-receiver -ojsonpath<span style="color:#666">=</span><span style="color:#b44">&#39;{.status.url}&#39;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">PROJECT_ID</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud config get-value project<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">KO_DOCKER_REPO</span><span style="color:#666">=</span>gcr.io/<span style="color:#b8860b">$PROJECT_ID</span> </span></span><span style="display:flex;"><span>envsubst &lt; falcoeventlistener.yaml | ko apply -f - </span></span></code></pre></div><blockquote> <p>If you are using a private container registry, don't forget to create a registry secret to pull and push images. You can follow the following guide to achieve this: <br> <a href="https://colinwilson.uk/2020/07/09/using-google-container-registry-with-kubernetes/">https://colinwilson.uk/2020/07/09/using-google-container-registry-with-kubernetes/</a></p> </blockquote> <p>If everything works as expected, we should see an output as given below:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-event-listener 1/1 Running <span style="color:#666">0</span> 59s </span></span></code></pre></div><p>The last step we have to do is installing <code>Falco</code> and <code>Falcosidekick</code> with configuring <code>Falcodekick</code> to forward events to our application.</p> <h3 id="installing-falco-and-falcosidekick">Installing Falco and Falcosidekick</h3> <p>For an up-to-date and detailed guide to installing Falco and Falcosidekick, see <a href="https://github.com/falcosecurity/charts/blob/master/falcosidekick/README.md#installing-the-chart">falcosidekick</a>).</p> <p>Let us enable <code>CloudEvents</code> support of <code>Falcosidekick.</code></p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span>helm repo update </span></span><span style="display:flex;"><span>helm upgrade --install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.config.cloudevents.address<span style="color:#666">=</span>http://falco-event-listener </span></span></code></pre></div><p>Verify that everything is working as expected:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-event-listener 1/1 Running <span style="color:#666">0</span> 5m19s </span></span><span style="display:flex;"><span>falco-falcosidekick-5854669c76-ddvrv 1/1 Running <span style="color:#666">0</span> 2m16s </span></span><span style="display:flex;"><span>falco-falcosidekick-5854669c76-rdlqn 1/1 Running <span style="color:#666">0</span> 2m16s </span></span><span style="display:flex;"><span>falco-falcosidekick-ui-7c5fc8dd54-q4qh9 1/1 Running <span style="color:#666">0</span> 2m16s </span></span><span style="display:flex;"><span>falco-vkl4f 1/1 Running <span style="color:#666">0</span> 2m16s </span></span></code></pre></div><h2 id="test">Test</h2> <p>To test this, we have to connect a shell within the container.</p> <p>Let's list the pods that we already have.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine-deployment-77789455d6-m7flp 1/1 Running <span style="color:#666">15</span> 3h6m </span></span><span style="display:flex;"><span>alpine-deployment-77789455d6-v7fkw 1/1 Running <span style="color:#666">15</span> 3h6m </span></span><span style="display:flex;"><span>podinfo-6df788c7b8-gs5qb 1/1 Running <span style="color:#666">0</span> 3h28m </span></span><span style="display:flex;"><span>podinfo-6df788c7b8-sfxvd 1/1 Running <span style="color:#666">0</span> 3h28m </span></span></code></pre></div><p>Now, run the following command to connect a shell.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -ti alpine-deployment-77789455d6-m7flp -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span>19:35:58 up 3:04, load average: 3.12, 1.91, 1.22 </span></span></code></pre></div><p>Once you run the command above, <code>Falco</code> will detect that malicious behavior and send it to the Falcosidekick via HTTP.</p> <p>You should see an output in the <code>Falco</code> logs as given below:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:35:58.532086161: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine-deployment-77789455d6-m7flp container=788861c3cf83 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=788861c3cf83 image=alpine) k8s.ns=default k8s.pod=alpine-deployment-77789455d6-m7flp container=788861c3cf83&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-06-13T19:35:58.532086161Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;788861c3cf83&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1623612958532086161,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine-deployment-77789455d6-m7flp&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span></code></pre></div><p>and the similar output below in the <code>Falcosidekick</code> logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>falco-falcosidekick-5854669c76-ddvrv falcosidekick 2021/06/13 19:51:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : CloudEvents - Send OK </span></span></code></pre></div><p>and the similar output below in the <code>falco-event-listener</code> logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>falco-event-listener falco-event-listener 2021/06/13 19:35:59 resp.Status<span style="color:#666">=</span><span style="color:#666">200</span> OK </span></span><span style="display:flex;"><span>falco-event-listener falco-event-listener 2021/06/13 19:35:59 resp.StatusCode<span style="color:#666">=</span><span style="color:#666">200</span> </span></span><span style="display:flex;"><span>falco-event-listener falco-event-listener 2021/06/13 19:35:59 <span style="color:#666">[</span>Terminal shell in container<span style="color:#666">]</span> scaled down to zero alpine-deployment-77789455d6-m7flp from default because 19:35:58.532086161: Notice A shell was spawned in a container with an attached terminal <span style="color:#666">(</span><span style="color:#b8860b">user</span><span style="color:#666">=</span>root <span style="color:#b8860b">user_loginuid</span><span style="color:#666">=</span>-1 k8s.ns<span style="color:#666">=</span>default k8s.pod<span style="color:#666">=</span>alpine-deployment-77789455d6-m7flp <span style="color:#b8860b">container</span><span style="color:#666">=</span>788861c3cf83 <span style="color:#b8860b">shell</span><span style="color:#666">=</span>sh <span style="color:#b8860b">parent</span><span style="color:#666">=</span>runc <span style="color:#b8860b">cmdline</span><span style="color:#666">=</span>sh -c uptime <span style="color:#b8860b">terminal</span><span style="color:#666">=</span><span style="color:#666">34816</span> <span style="color:#b8860b">container_id</span><span style="color:#666">=</span>788861c3cf83 <span style="color:#b8860b">image</span><span style="color:#666">=</span>alpine<span style="color:#666">)</span> k8s.ns<span style="color:#666">=</span>default k8s.pod<span style="color:#666">=</span>alpine-deployment-77789455d6-m7flp <span style="color:#b8860b">container</span><span style="color:#666">=</span>788861c3cf83 </span></span></code></pre></div><p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/kre_flux_v2_gitops_test_result.png" alt="kre_flux_v2_gitops_test_result" loading="lazy" /> </p> <p>You should also notice that a new commit is available in the <code>desired-state-repository</code> as given below:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/kre_flux_v2_gitops_update_desired_state_repository.png" alt="kre_flux_v2_gitops_update_desired_state_repository" loading="lazy" /> </p> <p>After the commit, <code>Flux (version 2)</code> will detect the change and sync the current state of the cluster with the desired state in the GitHub repository so that <code>Flux (version 2)</code> will terminate the alpine deployment pods.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods -l <span style="color:#b8860b">app</span><span style="color:#666">=</span>alpine </span></span><span style="display:flex;"><span>No resources found in default namespace. </span></span></code></pre></div>Blog: Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functionshttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/Tue, 29 Jun 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> </ul> </blockquote> <hr> <p>Earlier in this series, we have seen how to use Argo, Tekton, and Knative to trigger a resource after getting input from Falcosidekick. Recently, Falcosidekick received a new output type support for <a href="https://github.com/falcosecurity/falcosidekick/pull/241">Cloud Functions</a>.</p> <p>In this part, let us learn how we can use Falcosidekick and Cloud Functions to detect and delete a compromised pod.</p> <p>We will not go through what Cloud Functions is in-depth, however, you can always find a good overview about it in the <a href="https://cloud.google.com/functions">official documentation</a>.</p> <p>Here is the high-level overview architecture that shows what we want to achieve at the end of the day:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_functions_reference_arch.png" alt="cloud_functions_reference_arch" loading="lazy" /> </p> <p>You can find all the related code and resources in <a href="https://github.com/Dentrax/k8s-response-engine-gke-functions">this repository</a>.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>gcloud 342.0.0</li> <li>kubectl 1.20.5</li> </ul> <h2 id="tutorial">Tutorial</h2> <h3 id="provision-google-kubernetes-engine-gke-cluster">Provision Google Kubernetes Engine (GKE) Cluster</h3> <p>As the blog title said already, we need to create a <a href="https://cloud.google.com/kubernetes-engine">GKE cluster</a> with workload identity enabled:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud config get-value project<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">CLUSTER_NAME</span><span style="color:#666">=</span>falco-falcosidekick-demo </span></span><span style="display:flex;"><span>$ gcloud container clusters create <span style="color:#b8860b">$CLUSTER_NAME</span> --workload-pool <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span>.svc.id.goog </span></span><span style="display:flex;"><span>$ gcloud container clusters get-credentials <span style="color:#b8860b">$CLUSTER_NAME</span> </span></span></code></pre></div><h3 id="configure-iam-service-accounts">Configure IAM Service Accounts</h3> <p>We need to create a new <a href="https://cloud.google.com/iam/docs/service-accounts">Service Account</a> for target <code>$GOOGLE_PROJECT_ID</code> using IAM Binding <a href="https://cloud.google.com/iam/docs/policies">policies</a> to get access our Cloud Function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#666">=</span>falco-falcosidekick-sa </span></span><span style="display:flex;"><span>$ gcloud iam service-accounts create <span style="color:#b8860b">$SA_ACCOUNT</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ gcloud projects add-iam-policy-binding <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--member<span style="color:#666">=</span><span style="color:#b44">&#34;serviceAccount:</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">@</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">.iam.gserviceaccount.com&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--role<span style="color:#666">=</span><span style="color:#b44">&#34;roles/cloudfunctions.developer&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ gcloud projects add-iam-policy-binding <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--member<span style="color:#666">=</span><span style="color:#b44">&#34;serviceAccount:</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">@</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">.iam.gserviceaccount.com&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--role<span style="color:#666">=</span><span style="color:#b44">&#34;roles/cloudfunctions.invoker&#34;</span> </span></span></code></pre></div><p>In the beginning, we already enabled <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">WorkloadIdentity</a> feature for our GKE Cluster by setting <code>--workload-pool</code> flag. What we need to do here is to add a <code>iam.workloadIdentityUser</code> role for the given Service Account.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud iam service-accounts add-iam-policy-binding <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --role roles/iam.workloadIdentityUser <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --member <span style="color:#b44">&#34;serviceAccount:</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">.svc.id.goog[</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">FALCO_NAMESPACE</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">/falco-falcosidekick]&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span>@<span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span>.iam.gserviceaccount.com </span></span></code></pre></div><p>We need to <em>annotate</em> the <code>falco-falcosidekick</code> resource. So it can grant access for our Cluster. Set up the Falcosidekick SA to impersonate a GCP SA:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ kubectl annotate serviceaccount <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace <span style="color:#b8860b">$FALCO_NAMESPACE</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> falco-falcosidekick <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> iam.gke.io/gcp-service-account<span style="color:#666">=</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span>@<span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span>.iam.gserviceaccount.com </span></span></code></pre></div><h3 id="create-necessary-cluster-role">Create Necessary Cluster Role</h3> <p>To limit function role access in the particular cluster, ensure that only SA has limited permissions within a particular namespace by using <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding">Role Bindings</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ kubectl create serviceaccount pod-destroyer </span></span><span style="display:flex;"><span>$ kubectl create clusterrole pod-destroyer </span></span><span style="display:flex;"><span> --verb<span style="color:#666">=</span>delete </span></span><span style="display:flex;"><span> --resource<span style="color:#666">=</span>pod <span style="color:#080;font-style:italic"># give only pod resource access for delete op </span> </span></span><span style="display:flex;"><span>$ kubectl create clusterrolebinding pod-destroyer </span></span><span style="display:flex;"><span> --clusterrole pod-destroyer </span></span><span style="display:flex;"><span> --serviceaccount default:pod-destroyer </span></span></code></pre></div><p>To obtain the Token from secret, we need to get <code>pod-deleter</code> ServiceAccount resource first:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ <span style="color:#b8860b">POD_DESTROYER_TOKEN</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get secrets <span style="color:#a2f;font-weight:bold">$(</span>kubectl get serviceaccounts pod-deleter -o json <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> | jq -r <span style="color:#b44">&#39;.secrets[0].name&#39;</span><span style="color:#a2f;font-weight:bold">)</span> -o json <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> | jq -r <span style="color:#b44">&#39;.data.token&#39;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> | base64 -D<span style="color:#a2f;font-weight:bold">)</span> </span></span></code></pre></div><p>Add the <code>pod-destroyer</code> user to your <em>KUBECONFIG</em>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Generate your KUBECONFIG</span> </span></span><span style="display:flex;"><span>$ kubectl config view --minify --flatten &gt; kubeconfig_pod-destroyer.yaml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Set the token at the end of yaml</span> </span></span><span style="display:flex;"><span>$ cat <span style="color:#b44">&lt;&lt; EOF &gt;&gt; kubeconfig_pod-destroyer.yaml </span></span></span><span style="display:flex;"><span><span style="color:#b44">users: </span></span></span><span style="display:flex;"><span><span style="color:#b44">- name: user.name </span></span></span><span style="display:flex;"><span><span style="color:#b44"> user: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> token: $POD_DE</span>STROYER_TOKEN </span></span></code></pre></div><p>We can test it with <a href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access">auth can-i</a> to check if roles are set correctly</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ kubectl auth can-i list deployments <span style="color:#080;font-style:italic"># no</span> </span></span><span style="display:flex;"><span>$ kubectl auth can-i delete pod <span style="color:#080;font-style:italic"># yes</span> </span></span><span style="display:flex;"><span>$ kubectl access-matrix <span style="color:#080;font-style:italic"># github.com/corneliusweig/rakkess</span> </span></span></code></pre></div><h3 id="create-secret-manager">Create Secret Manager</h3> <p>The main reason Secret Manager get involved our architecture is because we had to find a way out to initialize our <em>kubeclient</em> in our function by getting <code>pod-destroyer</code>'s <em>KUBECONFIG</em>.</p> <p>We need to create a new <em>secrets IAM policy</em> for the SA member to enable <a href="https://cloud.google.com/secret-manager/docs/managing-secrets">Managing Secrets</a>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud secrets add-iam-policy-binding pod-destroyer <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --role roles/secretmanager.secretAccessor <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --member serviceAccount:<span style="color:#b8860b">$SA_ACCOUNT</span>@<span style="color:#b8860b">$GOOLE_PROJECT_ID</span>.iam.gserviceaccount.com </span></span></code></pre></div><p>Create a new secret, called <code>pod-destroyer</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud secrets create pod-destroyer --replication-policy<span style="color:#666">=</span><span style="color:#b44">&#34;automatic&#34;</span> </span></span></code></pre></div><p>Push the our generated <code>kubeconfig_pod-destroyer.yaml</code> file as a new version:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud secrets versions add pod-destroyer --data-file<span style="color:#666">=</span>kubeconfig_pod-destroyer.yaml </span></span></code></pre></div><p>Finally, we are ready to deploy our Cloud Run function!</p> <h3 id="deploy-google-cloud-function">Deploy Google Cloud Function</h3> <p>In this demonstration our function will simply <em>delete the pwned Pod</em>, as we already pointed it out in the architecture diagram.</p> <ul> <li>The Go code</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>kill_the_pwned_pod<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>secretmanager<span style="color:#bbb"> </span><span style="color:#b44">&#34;cloud.google.com/go/secretmanager/apiv1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;fmt&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>secretmanagerpb<span style="color:#bbb"> </span><span style="color:#b44">&#34;google.golang.org/genproto/googleapis/cloud/secretmanager/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;io/ioutil&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/tools/clientcmd&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;net/http&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;os&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// Alert falco data structure</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>op<span style="color:#bbb"> </span>Operation<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Operation<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>clientSet<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// init initializes new Kubernetes ClientSet with given config</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">init</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// The resource name of the KUBECONFIG_SECRET_NAME in the format</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// `projects/*/secrets/*/versions/*`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>resource<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>os.<span style="color:#00a000">Getenv</span>(<span style="color:#b44">&#34;KUBECONFIG_SECRET_NAME&#34;</span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span><span style="color:#a2f">len</span>(resource)<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#666">0</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;$KUBECONFIG_SECRET_NAME env variable did not set&#34;</span>))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>secret,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#00a000">GetSecret</span>(resource)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;get secret: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeCfg,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>clientcmd.<span style="color:#00a000">NewClientConfigFromBytes</span>(secret)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;new client config: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>restCfg,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeCfg.<span style="color:#00a000">ClientConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;client config: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>cs,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(restCfg)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;unable to initialize config: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>op<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>Operation{clientSet:<span style="color:#bbb"> </span>cs}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// KillThePwnedPod will executed for each Falco event</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">KillThePwnedPod</span>(w<span style="color:#bbb"> </span>http.ResponseWriter,<span style="color:#bbb"> </span>r<span style="color:#bbb"> </span><span style="color:#666">*</span>http.Request)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>body,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>ioutil.<span style="color:#00a000">ReadAll</span>(r.Body)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>http.<span style="color:#00a000">Error</span>(w,<span style="color:#bbb"> </span><span style="color:#b44">&#34;cannot read body&#34;</span>,<span style="color:#bbb"> </span>http.StatusBadRequest)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>event<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(body,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>event)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>http.<span style="color:#00a000">Error</span>(w,<span style="color:#bbb"> </span><span style="color:#b44">&#34;cannot parse body&#34;</span>,<span style="color:#bbb"> </span>http.StatusBadRequest)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>op.<span style="color:#00a000">PodDestroy</span>(event.OutputFields.K8SPodName,<span style="color:#bbb"> </span>event.OutputFields.K8SNsName)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>http.<span style="color:#00a000">Error</span>(w,<span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Sprintf</span>(<span style="color:#b44">&#34;cannot delete pod: %q&#34;</span>,<span style="color:#bbb"> </span>err),<span style="color:#bbb"> </span>http.StatusInternalServerError)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusOK)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// PodDestroy destroys the given pod name in the given namespace</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span>(d<span style="color:#bbb"> </span><span style="color:#666">*</span>Operation)<span style="color:#bbb"> </span><span style="color:#00a000">PodDestroy</span>(name,<span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span>)<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>d.clientSet.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">TODO</span>(),<span style="color:#bbb"> </span>name,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;unable to delete pod %s: %q&#34;</span>,<span style="color:#bbb"> </span>name,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// GetSecret returns the secret data.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">GetSecret</span>(name<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span>)<span style="color:#bbb"> </span>([]<span style="color:#0b0;font-weight:bold">byte</span>,<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span>)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ctx<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>context.<span style="color:#00a000">Background</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>client,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>secretmanager.<span style="color:#00a000">NewClient</span>(ctx)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;failed to create secretmanager client: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">defer</span><span style="color:#bbb"> </span>client.<span style="color:#00a000">Close</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>result,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>client.<span style="color:#00a000">AccessSecretVersion</span>(ctx,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>secretmanagerpb.AccessSecretVersionRequest{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Name:<span style="color:#bbb"> </span>name,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;failed to access secret version: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>result.Payload.Data,<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>If you rather see it in <a href="https://github.com/Dentrax/k8s-response-engine-gke-functions.git">GitHub</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ git clone https://github.com/Dentrax/k8s-response-engine-gke-functions.git </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">cd</span> kubernetes-response-engine-based-on-gke-and-gcloudfunctions </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>We need to pass extra <code>--service-account</code> flag in order to get access to Secret Manager.</p> <p>Deploy the function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">FUNCTION_NAME</span><span style="color:#666">=</span>KillThePwnedPod </span></span><span style="display:flex;"><span>$ gcloud functions deploy <span style="color:#b8860b">$FUNCTION_NAME</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--runtime go113 --trigger-http <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--service-account <span style="color:#b8860b">$SA_ACCOUNT</span>@<span style="color:#b8860b">$GOOLE_PROJECT_ID</span>.iam.gserviceaccount.com </span></span><span style="display:flex;"><span>Allow unauthenticated invocations of new <span style="color:#a2f;font-weight:bold">function</span> <span style="color:#666">[</span>KillThePwnedPod<span style="color:#666">]</span>? <span style="color:#666">(</span>y/N<span style="color:#666">)</span>? N </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>Now, get the name of the function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">CLOUD_FUNCTION_NAME</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud functions describe --format<span style="color:#666">=</span>json <span style="color:#b8860b">$FUNCTION_NAME</span> | jq -r <span style="color:#b44">&#39;.name&#39;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span></code></pre></div><h3 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h3> <p>It is time to install <code>Falco</code>, <code>Falcosidekick</code> with <code>Cloud Function</code> output type enabled:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#a2f">export</span> <span style="color:#b8860b">FALCO_NAMESPACE</span><span style="color:#666">=</span>falco </span></span><span style="display:flex;"><span>$ kubectl create namespace <span style="color:#b8860b">$FALCO_NAMESPACE</span> </span></span><span style="display:flex;"><span>$ helm upgrade --install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--namespace <span style="color:#b8860b">$FALCO_NAMESPACE</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set ebpf.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.gcp.cloudfunctions.name<span style="color:#666">=</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">CLOUD_FUNCTION_NAME</span><span style="color:#b68;font-weight:bold">}</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> </span></span></code></pre></div><h3 id="test">Test</h3> <p>Try to run a busybox image and execute a command:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run busybox --image<span style="color:#666">=</span>busybox --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span></code></pre></div><p>Try to exec into:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -it busybox -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span></code></pre></div><p>We can check the logs of the <code>Falco</code>, and <code>Falcosidekick</code> to see what happened:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_function_output.png" alt="cloud_function_output" loading="lazy" /> </p> <p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick --namespace falco </span></span><span style="display:flex;"><span>2021/06/14 21:01:24 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : GCPCloudFunctions - Call Cloud Function OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>We got another way to create a Response Engine with amazing pieces of software from Open Source world. Of course, it's just the beginning, feel free to share your functions and workflows with the community for starting the creation of a true library of remediation methods.</p> <hr> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 6: Falcosidekick + Cloud Runhttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/Fri, 25 Jun 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>Recently, we added two new output-type support to Falcosidekick, and they are Cloud Functions, and Cloud Run. This blog post will discuss how to set up Kubernetes Response Engine on GKE (Google Kubernetes Engine) by using Cloud Run.</p> <p>Let's start by explaining a little bit about Cloud Run. <code>Cloud Run</code> is a managed compute platform that enables you to run containers that are invocable via requests or events. <code>Cloud Run</code> is serverless: it abstracts away all infrastructure management, so you can focus on what matters most — building great applications.</p> <p>For more information, see <a href="https://cloud.google.com/run/docs">Cloud Run</a>.</p> <p>Given below is a reference architecture of what's being explained in this blog.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_run_reference_arch.png" alt="cloud_run_reference_arch" loading="lazy" /> </p> <p>This demo might be useful for Google Cloud users who might already be using GKE with <code>Falco</code> to protect container runtime against malicious behaviors, and wants to take any action for them with <code>Cloud Run</code>.</p> <!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> <p><strong>Table of Contents</strong></p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#prerequisites">Prerequisites</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#tutorial">Tutorial</a> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#provision-gke-google-kubernetes-engine-cluster">Provision GKE (Google Kubernetes Engine) Cluster</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#deploy-cloud-run-function">Deploy Cloud Run Function</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#install-falco--falcosidekick">Install Falco + Falcosidekick</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#test">Test</a></li> </ul> </li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#conclusion">Conclusion</a></li> </ul> <!-- END doctoc generated TOC please keep comment here to allow auto update --> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>gcloud 342.0.0</li> <li>ko 0.8.3</li> </ul> <h2 id="tutorial">Tutorial</h2> <h3 id="provision-gke-google-kubernetes-engine-cluster">Provision GKE (Google Kubernetes Engine) Cluster</h3> <p>First, let us create a GKE cluster.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">GKE_CLUSTER_NAME</span><span style="color:#666">=</span>cloud-run-demo </span></span><span style="display:flex;"><span>$ gcloud container clusters create <span style="color:#b8860b">$GKE_CLUSTER_NAME</span> </span></span></code></pre></div><p>To learn more about the setup GKE Cluster, see <a href="https://cloud.google.com/kubernetes-engine/docs/quickstart#create_cluster">quickstart guide</a>.</p> <h3 id="deploy-cloud-run-function">Deploy Cloud Run Function</h3> <p>Once GKE is set up, we are ready to deploy Cloud Run. But before doing that, let us examine the responsibility of the Cloud Run function. As you can see in the reference architecture, this function will delete the pwned pods. To be able to do that, Cloud Run should be given appropriate permissions.</p> <p>There are two approaches to obtain these permissions.</p> <ul> <li>The first approach is creating a Kubernetes Service Account, an appropriate Role with granted permissions to delete pod resource, and a RoleBinding to bind Role to Service Account. Then create the kubeconfig file, package it up with the function code while deploying the Cloud Run function, and use this file to create a Kubernetes client.</li> </ul> <p>To learn more about the kubeconfig files, see <a href="https://ahmet.im/blog/mastering-kubeconfig/">kubeconfig</a>.</p> <ul> <li>The second approach is producing a valid ~/.kube/config with a library called google.golang.org/api/ within the function code. We are doing this because the representation of the valid ~/.kube/config file is <a href="https://pkg.go.dev/k8s.io/client-go@v0.21.1/tools/clientcmd/api#Config">clientcmd/api/Config</a> in Go.</li> </ul> <p>We'll go with the second approach in this demo. Thanks to Scott Blum and his detailed <a href="https://bionic.fullstory.com/connect-to-google-kubernetes-with-gcp-credentials-and-pure-golang/">blog post</a> on this topic. I highly recommend that you check that out.</p> <p>Let's deploy the function. If you want to take a look at the function code, see the <a href="#ZgotmplZ">repository</a>.</p> <p>Note that we're going to use the ko tool to build and push our container image which is created by Google. ko is a simple and fast container image builder for Go applications.</p> <p>To learn more, see the <a href="https://github.com/google/ko">official repository</a> of the project.</p> <p>We are also going to use Container Registry as an image repository service provided by the Google Cloud to store, manage, and secure your Docker container images. Alternatively, you can also use DockerHub, quay.io, etc.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ git clone https://github.com/developer-guy/kubernetes-response-engine-based-on-gke-and-cloud-run.git </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">cd</span> kubernetes-response-engine-based-on-gke-and-cloud-run </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">GKE_CLUSTER_NAME</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl config view --minify -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#39;{.clusters[].name}{&#34;\n&#34;}&#39;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">PROJECT_ID</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud config get-value project<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">FUNCTION_NAME</span><span style="color:#666">=</span>pod-deleter </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">export</span> <span style="color:#b8860b">KO_DOCKER_REPO</span><span style="color:#666">=</span>gcr.io/<span style="color:#b8860b">$PROJECT_ID</span> <span style="color:#080;font-style:italic"># Please, change this variable if you are not using Container Registry.</span> </span></span><span style="display:flex;"><span>$ gcloud config <span style="color:#a2f">set</span> run/region us-west1 </span></span><span style="display:flex;"><span>$ gcloud config <span style="color:#a2f">set</span> run/platform managed </span></span><span style="display:flex;"><span>$ gcloud run deploy <span style="color:#b8860b">$FUNCTION_NAME</span> --image<span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>ko publish .<span style="color:#a2f;font-weight:bold">)</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set-env-vars <span style="color:#b8860b">GKE_CLUSTER_NAME</span><span style="color:#666">=</span><span style="color:#b8860b">$GKE_CLUSTER_NAME</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set-env-vars <span style="color:#b8860b">PROJECT_ID</span><span style="color:#666">=</span><span style="color:#b8860b">$PROJECT_ID</span> </span></span><span style="display:flex;"><span>... </span></span><span style="display:flex;"><span>Allow unauthenticated invocations to <span style="color:#666">[</span>pod-deleter<span style="color:#666">]</span> <span style="color:#666">(</span>y/N<span style="color:#666">)</span>? N </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Deploying container to Cloud Run service <span style="color:#666">[</span>pod-deleter<span style="color:#666">]</span> in project <span style="color:#666">[</span>developerguy-311909<span style="color:#666">]</span> region <span style="color:#666">[</span>us-west1<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>✓ Deploying... Done. </span></span><span style="display:flex;"><span> ✓ Creating Revision... </span></span><span style="display:flex;"><span> ✓ Routing traffic... </span></span><span style="display:flex;"><span>Done. </span></span><span style="display:flex;"><span>Service <span style="color:#666">[</span>pod-deleter<span style="color:#666">]</span> revision <span style="color:#666">[</span>pod-deleter-00002-cej<span style="color:#666">]</span> has been deployed and is serving <span style="color:#666">100</span> percent of traffic. </span></span><span style="display:flex;"><span>Service URL: https://pod-deleter-uoz6q2wria-uw.a.run.app </span></span></code></pre></div><h3 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h3> <p>Now, it is time to set up <code>Falco</code>, <code>Falcosidekick</code> with the <code>Cloud Run</code> output type enabled.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl create namespace falco </span></span><span style="display:flex;"><span>$ helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>$ helm install falco falcosecurity/falco --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set ebpf.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.gcp.cloudrun.endpoint<span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud run services list --format json | jq -r <span style="color:#b44">&#34;.[] | select(.metadata.name==\&#34;</span><span style="color:#b8860b">$FUNCTION_NAME</span><span style="color:#b44">\&#34;) | .status.address.url&#34;</span><span style="color:#a2f;font-weight:bold">)</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.gcp.cloudrun.jwt<span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud auth print-identity-token<span style="color:#a2f;font-weight:bold">)</span> </span></span></code></pre></div><p>Check the logs to see if <code>Cloud Run</code> output enabled for Falcosidekick.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs -f falco-falcosidekick-7cd7bc6859-2nd9t --namespace falco </span></span><span style="display:flex;"><span>falco-falcosidekick-7cd7bc6859-2nd9t falcosidekick 2021/06/07 16:03:14 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : <span style="color:#666">[</span>GCPCloudRun WebUI<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>falco-falcosidekick-7cd7bc6859-2nd9t falcosidekick 2021/06/07 16:03:14 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on :2801 </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>If you see the GCPCloudRun in the list of enabled outputs, you can confirm that everything is working as expected 👍.</p> <h3 id="test">Test</h3> <p>Let us start by creating a test pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>AME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 11s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span>19:27:21 up <span style="color:#666">50</span> min, load average: 0.11, 0.12, 0.11 </span></span></code></pre></div><p>As expected the command returned the output. However, the status of the pod we retrieved is Terminating as follows:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>To investigate further, check the logs of the Cloud Run function from the Google Cloud Console:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_run_function_outout.png" alt="cloud_run_function_output" loading="lazy" /> </p> <p>Let us check the logs of Falco and Falcosidekick to see what happened.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> $ kubectl logs daemonset/falco --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:27:21.002873265: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=97c9868ea832 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=97c9868ea832 image=alpine) k8s.ns=default k8s.pod=alpine container=97c9868ea832&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-04-10T19:27:21.002873265Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;97c9868ea832&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1618082841002873265,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick --namespace falco </span></span><span style="display:flex;"><span>2021/06/07 16:03:15 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : GCPCloudRun - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/06/07 16:03:15 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : GCPCloudRun - Function Response : OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>We got another way to create a Response Engine with amazing pieces of software from the Open Source world. Of course, it's just the beginning, feel free to share your functions and workflows with the community for creating a library of remediation methods.</p> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 5: Falcosidekick + Argohttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/Sun, 23 May 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>The Open Source ecosystem is very vibrant, there are many ways to create a Kubernetes Response Engine based on our dynamic duo, <code>Falco</code> + <code>Falcosidekick</code>. Today, we will use two components of the CNCF project <code>Argo</code>:</p> <ul> <li><a href="https://argoproj.github.io/projects/argo-events"><code>Argo Events</code></a>, will receive events from <code>Falcosidekick</code> and push into it event bus.</li> <li><a href="https://argoproj.github.io/projects/argo"><code>Argo Workflow</code></a>, will listen the event bus and then trigger the workflow if certain criteria are encountered.</li> </ul> <p>Like we did for previous examples with <code>Kubeless</code>, <code>OpenFaas</code> and <code>Knative</code>, we'll address the situation where a shell is spawned in a pod and we want to remediate that by deleting it.</p> <p>This is how we will set this up:</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">┌─────────────┐ ┌─────────┐ ┌────────────────┐ │ │ detect │ │ push │ │ │ pwned pod ├───────────► falco ├──────────► falcosidekick ├────┐ │ │ │ │ │ │ │ └──────▲──────┘ └─────────┘ └────────────────┘ │ notify │ │ │ │ delete │ ┌──────────────┐ ┌───────────────┐ ┌──────▼──────┐ │ │ │ │ │ │ │ └───┤ deletion pod ◄──────────┤ argo workflow │ │ argo events │ │ │ create │ │ │ │ └──────────────┘ └────────────▲──┘ └─┬───────────┘ │ │ trigger │ │ push │ │ ┌─┴─────────────▼──┐ │ bus │ └──────────────────┘ </code></pre><h2 id="requirements">Requirements</h2> <p>We require a <code>kubernetes</code> cluster running at least <code>1.17</code> release, <a href="https://helm.sh"><code>helm</code></a> and <code>kubectl</code> installed in your locale environment.</p> <h2 id="installation-of-argo-events">Installation of Argo Events</h2> <p>We simply follow the <a href="https://argoproj.github.io/argo-events/installation/">official documentation</a>.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl create namespace argo-events kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/install.yaml kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/install-validating-webhook.yaml kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/eventbus/native.yaml </code></pre><h2 id="installation-of-argo-workflow">Installation of Argo Workflow</h2> <p>Again, the <a href="https://argoproj.github.io/argo-workflows/installation/">official documentation</a> will help us.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl create namespace argo kubectl apply -n argo -f https://raw.githubusercontent.com/argoproj/argo-workflows/stable/manifests/install.yaml kubectl patch -n argo cm workflow-controller-configmap -p &#39;{&#34;data&#34;: {&#34;containerRuntimeExecutor&#34;: &#34;pns&#34;}}&#39; </code></pre><p>The <code>kubectl patch</code> is there for allowing the workflows to run in <code>minikube</code>, <code>kind</code>, etc. See <a href="https://argoproj.github.io/argo-workflows/workflow-executors/">docs</a> about Workflow Executors to learn more about.</p> <p>After a while, you should have access to <code>Argo Workflow</code> UI through a dport-forward:</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl port-forward svc/argo-server -n argo 2746:2746 &amp; </code></pre><p>The link is <a href="https://localhost:2746">https://localhost:2746</a> (you can ignore the certificate error, we're in a lab 😉).</p> <h2 id="creation-of-the-event-source">Creation of the Event Source</h2> <p>We'll use an <code>Event Source</code> with <code>Webhook</code> type. It will receive <code>Falco</code> events from <code>Falcosidekick</code> and push them then into the Event Bus.</p> <p>This component is pretty easy to understand. <code>Falcosidekick</code> will have to <strong>POST</strong> the events to an endpoint <strong>/falco</strong> of a service opened on port <strong>12000</strong>. <em>Easy</em>.</p> <pre tabindex="0"><code class="language-yaml+" data-lang="yaml+">cat &lt;&lt;EOF | kubectl apply -n argo-events -f - apiVersion: argoproj.io/v1alpha1 kind: EventSource metadata: name: webhook-falco namespace: argo-events spec: service: ports: - port: 12000 targetPort: 12000 webhook: # event-source can run multiple HTTP servers. Simply define a unique port to start a new HTTP server falco-event: # port to run HTTP server on port: &#34;12000&#34; # endpoint to listen to endpoint: /falco # HTTP request method to allow. In this case, only POST requests are accepted method: POST EOF </code></pre><p>As expected, we now have a new service which will listen events from <code>Falcosidekick</code> on port <strong>12000</strong> and endpoint <strong>/falco</strong>:</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl get svc -n argo-events NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE webhook-falco-eventsource-svc ClusterIP 10.43.117.26 &lt;none&gt; 12000/TCP 11m </code></pre><h2 id="creation-of-the-sensor">Creation of the Sensor</h2> <p>In <code>Argo Events</code> architecture, <code>Sensors</code> are responsible for listening to the Event Bus and triggering <em>something</em> should the criteria we set match. In our case, our <code>Sensor</code>:</p> <ul> <li>listen only events for pushed by <strong>webhook-falco</strong> <code>Event Source</code></li> <li>consider only events where the <strong>body</strong> (in JSON) contains the value <strong>Terminal shell in container</strong> for field with key <strong>rule</strong>, we want to match for only this <strong>Falco</strong> rule in one word.</li> <li>trigger a <strong>workflow</strong> based on a template with our event as input</li> </ul> <p>First, create the <strong>Service Account</strong> which allows our <code>Sensor</code> will.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo-events -f - apiVersion: v1 kind: ServiceAccount metadata: namespace: argo-events name: sensor-terminal-shell-container-sa --- # Similarly you can use a ClusterRole and ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sensor-terminal-shell-container-role namespace: argo-events rules: - apiGroups: - argoproj.io verbs: - &#34;*&#34; resources: - workflows - workflowtemplates - cronworkflows - clusterworkflowtemplates --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: sensor-terminal-shell-container-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: sensor-terminal-shell-container-role subjects: - kind: ServiceAccount name: sensor-terminal-shell-container-sa namespace: argo-events EOF </code></pre><p>And now we deploy our <code>Sensor</code>.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo-events -f - apiVersion: argoproj.io/v1alpha1 kind: Sensor metadata: name: terminal-shell-container namespace: argo-events spec: template: serviceAccountName: sensor-terminal-shell-container-sa dependencies: - name: falco-event eventSourceName: webhook-falco eventName: falco-event filters: data: - path: body.rule type: string value: - &#34;Terminal shell in container&#34; triggers: - template: name: delete-pod-trigger argoWorkflow: group: argoproj.io version: v1alpha1 resource: workflows operation: submit parameters: - src: dependencyName: falco-event dest: spec.arguments.parameters.0.value source: resource: apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: generateName: delete-pod- namespace: argo spec: workflowTemplateRef: name: delete-pod-template arguments: parameters: - name: falco-event value: {} EOF </code></pre><h2 id="creation-of-the-workflow-template">Creation of the Workflow Template</h2> <p>There is one piece missing in our <code>Argo</code> stack, we mentioned a template above, we logically need to create it too, with the service account it needs.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo -f - apiVersion: v1 kind: ServiceAccount metadata: name: delete-pod-sa namespace: argo --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: delete-pod-sa-cluster-role rules: - apiGroups: [&#34;&#34;] resources: [&#34;pods&#34;] verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;, &#34;patch&#34;, &#34;watch&#34;] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: delete-pod-sa-cluster-role-binding roleRef: kind: ClusterRole name: delete-pod-sa-cluster-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: delete-pod-sa namespace: argo EOF </code></pre><pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo -f - apiVersion: argoproj.io/v1alpha1 kind: WorkflowTemplate metadata: name: delete-pod-template namespace: argo spec: entrypoint: delete-pod serviceAccountName: delete-pod-sa arguments: parameters: - name: falco-event value: &#34;{}&#34; templates: - name: delete-pod inputs: parameters: - name: falco-event container: image: devopps/kubernetes-response-engine-based-on-event-driven-workflow@sha256:22ee203a33fe88f0f99968daebdcea0ca52c8a3d6f7af4c823ed78ac15b7c5db env: - name: BODY value: &#34;{{inputs.parameters.falco-event}}&#34; EOF </code></pre><p><code>Argo Workflow</code> runs all workflow steps inside their own pods, we'll use for this tutorial a <em>Golang</em> image developped by <a href="https://github.com/developer-guy">@developer-guy</a> (who wrote the <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Part 2</a> of this series 😄), the sources are <a href="https://github.com/developer-guy/kubernetes-response-engine-based-on-event-driven-workflow/blob/master/main.go">there</a>.</p> <p>At this stage, everything is ready to receive events from <code>Falco</code> and protect our cluster. If you go in <code>Argo Workflow</code> UI you will find the architecture we described at beginning.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-event-flow.png" alt="Event Flow for our Response Engine" loading="lazy" /> </p> <h2 id="installation-of-falco-and-falcosidekick">Installation of Falco and Falcosidekick</h2> <p>Last but not least, it's time to install our beloved <code>Falco</code> and <code>Falcosidekick</code> and connect them to our shiny new Response Engine.</p> <p>As with other posts of this series we'll use <code>Helm</code> as conveniant installation method.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl create ns falco helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco \ --namespace falco \ --set falcosidekick.enabled=true \ --set falcosidekick.config.webhook.address=http://webhook-falco-eventsource-svc.argo-events.svc.cluster.local:12000/falco </code></pre><p>Remember the service we &quot;mentioned&quot; earlier? This is it in its FQDN format as an endpoint.</p> <h2 id="test-our-response-engine">Test our Response Engine</h2> <p>Let's delete pwned pod !</p> <p>We'll simulate a <em>webshell</em> by executing a shell command into a running pod.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl run alpine -n default --image=alpine --restart=&#39;Never&#39; -- sh -c &#34;sleep 6000&#34; kubectl get pods -n default </code></pre><pre tabindex="0"><code class="language-shell+" data-lang="shell+">NAME READY STATUS RESTARTS AGE alpine 1/1 Running 0 8s </code></pre><p>Run a <em>shell</em> command inside.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl exec -i --tty alpine -n default -- sh -c &#34;uptime&#34; 22:03:23 up 44 min, load average: 0.07, 0.13, 0.19 </code></pre><p>If you're quick enough, you may see the termination of the pod.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl get pods -n default </code></pre><pre tabindex="0"><code class="language-shell+" data-lang="shell+">NAME READY STATUS RESTARTS AGE alpine 1/1 Terminating 0 8s </code></pre><p>And in <code>Argo Workflow</code> UI.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-deletion-1.png" alt="Deletion 1 for our Response Engine" loading="lazy" /> </p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-deletion-2.png" alt="Deletion 2 for our Response Engine" loading="lazy" /> </p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-deletion-3.png" alt="Deletion 3 for our Response Engine" loading="lazy" /> </p> <p>👍</p> <h2 id="go-a-little-further-with-argo">Go a little further with Argo</h2> <p>We can even go further by deploying all components with <code>Argo CD</code>, another project from <code>Argo</code> team. You can find out all you need in this <a href="https://github.com/Issif/argo-falco">repo</a>.</p> <p>Here a quick demo of the results with the exact same workflow we just created in this tutorial. <div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"> <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/X3GE3rHBFNM?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe> </div> </p> <h2 id="conclusion">Conclusion</h2> <p>We got another way to create a Response Engine with amazing pieces of software from Open Source world. Of course, it's just the beginning, feel free to share your functions and workflows with the community for starting the creation of a true library of remediation methods.</p> <hr> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 4: Falcosidekick + Tektonhttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/Fri, 14 May 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <h2 id="falcosidekick-tekton">Falcosidekick + Tekton</h2> <p>Earler in this series we have seen how to use <a href="https://kubeless.io/">Kubeless</a>, <a href="https://www.openfaas.com/">OpenFaas</a> and <a href="https://knative.dev/">Knative</a> to trigger a pod after getting input from falcosidekick to delete a compromised pod.</p> <p>In this part I will showcase how we can use <a href="https://tekton.dev">Tekton</a> and not have to add any extra complexity to your cluster by adding a serverless runtime.</p> <p>I won't go through how Tekton works in depth but, you can find a good overview in the <a href="https://tekton.dev/docs/overview/">official docs</a>. But here is the crash course:</p> <ul> <li>Tekton is built to be reusable.</li> <li>The smallest part of tekton is a <strong>step</strong>, a step can be something like this: <ul> <li>Run unit tests</li> <li>Run linting</li> </ul> </li> <li>In a <strong>task</strong> you can have multiple steps.</li> <li>A <strong>pipeline</strong> consist of one or multiple tasks.</li> <li>To trigger a pipeline to actually run you need a <strong>pipelinerun</strong> or a <strong>trigger-template</strong>.</li> </ul> <p>Tekton also supports eventlisteners that is used to listen for webhooks. Normally these webhooks listen for incoming changes to a git repo, for example a PR. But we will use it to listen for Falco events.</p> <p>You can find all the yaml and code in my <a href="https://github.com/NissesSenap/falcosidekick-tekton/tree/falco">repo</a>.</p> <h3 id="prerequisites">Prerequisites</h3> <p>As always within Kubernetes we need a few tools, I have used the following versions of Helm, Minikube and kubectl in my setup.</p> <ul> <li>Minikube v1.19.0</li> <li>Helm v3.4.2</li> <li>kubectl v1.20.5</li> </ul> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <p>I'm sure you can use a <a href="https://github.com/kubernetes-sigs/kind">kind</a> cluster as well to follow along, but falco complained a bit when I tried and I was too lazy to check out what extra flags I need so I went with minikube.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>minikube start --cpus <span style="color:#666">3</span> --memory <span style="color:#666">8192</span> --vm-driver virtualbox </span></span></code></pre></div><h3 id="install-tekton">Install Tekton</h3> <p>Install Tekton pipelines and triggers. When doing this in production I recommend the <a href="https://github.com/tektoncd/operator">Tekton operator</a> but for now let us use some pure yaml.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml </span></span><span style="display:flex;"><span>kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml </span></span></code></pre></div><p>Within a few seconds you should be able to see a few pods in the tekton-pipelines namespace.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n tekton-pipelines </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>tekton-pipelines-controller-6b94f5f96-cmf8m 1/1 Running <span style="color:#666">0</span> 1h </span></span><span style="display:flex;"><span>tekton-pipelines-webhook-5bfbbd6475-fmjp4 1/1 Running <span style="color:#666">0</span> 1h </span></span><span style="display:flex;"><span>tekton-triggers-controller-7cbd49fbb8-p4lrz 1/1 Running <span style="color:#666">0</span> 1h </span></span><span style="display:flex;"><span>tekton-triggers-webhook-748fb7778c-w6zxv 1/1 Running <span style="color:#666">0</span> 1h </span></span></code></pre></div><p>If you want a deeper understanding how Tekton triggers work check out the <a href="https://github.com/tektoncd/triggers/tree/v0.13.0/docs/getting-started">getting-started guide</a>.</p> <h3 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h3> <p>Create the falco namespace and add the helm repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create namespace falco </span></span><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span>helm repo update </span></span></code></pre></div><p>For simplicity and long term usability let us create a custom values file and start falco.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;&#39;EOF&#39; &gt;&gt; values.yaml </span></span></span><span style="display:flex;"><span><span style="color:#b44">falcosidekick: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> config: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> webhook: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> address: http://el-falco-listener.falcoresponse.svc.cluster.local:8080 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> enabled: true </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44">customRules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # Applications which are expected to communicate with the Kubernetes API </span></span></span><span style="display:flex;"><span><span style="color:#b44"> rules_user_known_k8s_api_callers.yaml: |- </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - macro: user_known_contact_k8s_api_server_activities </span></span></span><span style="display:flex;"><span><span style="color:#b44"> condition: &gt; </span></span></span><span style="display:flex;"><span><span style="color:#b44"> (container.image.repository = &#34;gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink&#34;) or </span></span></span><span style="display:flex;"><span><span style="color:#b44"> (container.image.repository = &#34;quay.io/nissessenap/poddeleter&#34;) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Install falco</span> </span></span><span style="display:flex;"><span>helm upgrade --install falco falcosecurity/falco --namespace falco -f values.yaml </span></span></code></pre></div><blockquote> <p>Note the customRules and the webhook address.</p> </blockquote> <p>We haven't setup this webhook address nor is there currently any reason for us to have customRules for eventlistenersink or poddeleter, but it will come. Both the Tekton event listener and my poddeleter does a few kubernetes API calls and we don't want falco generate alarms for our own infrastructure.</p> <p>You should be able to see falco and falcosidekick pods in the falco namespace:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods --namespace falco </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-44p4v 1/1 Running <span style="color:#666">0</span> 64m </span></span><span style="display:flex;"><span>falco-falcosidekick-779b87f446-8zf9m 1/1 Running <span style="color:#666">0</span> 2h </span></span><span style="display:flex;"><span>falco-falcosidekick-779b87f446-fdk55 1/1 Running <span style="color:#666">0</span> 2h </span></span></code></pre></div><h3 id="protect-me-falco">Protect me Falco</h3> <p>My current setup is rather harsh and will delete any pods that breaks any falco rule. In the future I plan to make both the go code and the tekton setup better and more flexible, hopefully this is something that we can do in the community.</p> <p>During this demo I will use the <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">Terminal Shell in container</a> since it's very easy to reproduce.</p> <p>So how does all this work?</p> <ul> <li>We start a random pod and perform a simple exec.</li> <li>Falco will notice that a pod have broken the rule</li> <li>Sends an event to Falcosidekick</li> <li>Sends a webhook to tekton event-listener</li> <li>Tekton triggers a new pipeline</li> <li>A task is started with a small go program that deletes the pod</li> </ul> <p>So let us look at some yaml.</p> <h4 id="the-go-code">The go code</h4> <p>I have adapted the code that Batuhan Apaydın wrote in <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Falcosidekick + OpenFaas = a Kubernetes Response Engine, Part 2</a> to listen for json in an environment variable instead of a http request.</p> <p>Below you can see the code, in short it does the following:</p> <ul> <li>Check for environment variable BODY.</li> <li>Unmarshal the data according to the Alert struct.</li> <li>Setups a kubernetes client, by calling setupKubeClient function.</li> <li>Calls the deletePod with a kubernetes client, the falcoEvent we gotten and a hash map of critical Namespaces.</li> <li>Check in the event that we got from falcosidekick and see if the pod that triggered the event is in our critical namespaces hash map.</li> <li>If it is return to the main and shutdown the application.</li> <li>Else deletes the pod in the namespace specified in the falcosidekick event.</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-main.go" data-lang="main.go"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>main<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;log&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;os&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/rest&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// Alert falco data structure</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">main</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">map</span>[<span style="color:#0b0;font-weight:bold">string</span>]<span style="color:#0b0;font-weight:bold">bool</span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-system&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-public&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-node-lease&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;falco&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>falcoEvent<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>bodyReq<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>os.<span style="color:#00a000">Getenv</span>(<span style="color:#b44">&#34;BODY&#34;</span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>bodyReq<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;&#34;</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;Need to get environment variable BODY&#34;</span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>bodyReqByte<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>[]<span style="color:#a2f">byte</span>(bodyReq)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(bodyReqByte,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>falcoEvent)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;The data doesent match the struct %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#00a000">setupKubeClient</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;Unable to create in-cluster config: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#00a000">deletePod</span>(kubeClient,<span style="color:#bbb"> </span>falcoEvent,<span style="color:#bbb"> </span>criticalNamespaces)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;Unable to delete pod due to err %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// setupKubeClient</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">setupKubeClient</span>()<span style="color:#bbb"> </span>(<span style="color:#666">*</span>kubernetes.Clientset,<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span>)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>config,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>rest.<span style="color:#00a000">InClusterConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the clientset</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(config)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// deletePod, if not part of the criticalNamespaces the pod will be deleted</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">deletePod</span>(kubeClient<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset,<span style="color:#bbb"> </span>falcoEvent<span style="color:#bbb"> </span>Alert,<span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">map</span>[<span style="color:#0b0;font-weight:bold">string</span>]<span style="color:#0b0;font-weight:bold">bool</span>)<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>podName<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>falcoEvent.OutputFields.K8SPodName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>falcoEvent.OutputFields.K8SNsName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;PodName: %v &amp; Namespace: %v&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Rule: %v&#34;</span>,<span style="color:#bbb"> </span>falcoEvent.Rule)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>criticalNamespaces[namespace]<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;The pod %v won&#39;t be deleted due to it&#39;s part of the critical ns list: %v &#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Deleting pod %s from namespace %s&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>If you rather see it in <a href="https://raw.githubusercontent.com/NissesSenap/falcosidekick-tekton/falco/main.go">github</a>.</p> <p>Now that you know what I will make run in your cluster let us take a look at the Tekton yaml.</p> <h4 id="tekton-pipeline">Tekton pipeline</h4> <p>Create the falcoresponse namespace to do our tests in.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create ns falcoresponse </span></span></code></pre></div><h5 id="task">Task</h5> <p>So let us start with the smallest part, the task.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: tekton.dev/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Task </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> description: The entire msg from falco </span></span></span><span style="display:flex;"><span><span style="color:#b44"> steps: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> image: quay.io/nissessenap/poddeleter@sha256:ae94ec2c9f005573e31e4944d1055a0dd92ee7594e7e7e36a4540a1811977270 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> env: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: BODY </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(params.falco-event) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><ul> <li>The task needs a input variable falco-event.</li> <li>The step called pod-delete uses the poddeleter image.</li> <li>Step pod-delete sets the environment BODY from the input parameter called falco-event.</li> </ul> <h5 id="pipeline">Pipeline</h5> <p>Here you can see the reusability of tekton. This pipeline can easily add more tasks and other pipelines can use the exact same task as this one.</p> <p>Just like the task this pipeline expects a parameter called falco-event which it sends in to the pod-delete task.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: tekton.dev/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Pipeline </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete-pipeline </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> description: The entire msg from falco </span></span></span><span style="display:flex;"><span><span style="color:#b44"> tasks: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: run-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> taskRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(params.falco-event) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><h5 id="rbac">RBAC</h5> <p>We will be using two separate serviceAccounts, one for the event-listener and one for the poddeleter it self.</p> <p>So let us create these serviceAccounts and give them some access.</p> <p>Below you can find the event listener RBAC config.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Role </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-minimal </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # EventListeners need to be able to fetch all namespaced resources </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;triggers.tekton.dev&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> [&#34;eventlisteners&#34;, &#34;triggerbindings&#34;, &#34;triggertemplates&#34;, &#34;triggers&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;watch&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # configmaps is needed for updating logging config </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;configmaps&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;watch&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # Permissions to create resources in associated TriggerTemplates </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;tekton.dev&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pipelineruns&#34;, &#34;pipelineresources&#34;, &#34;taskruns&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;create&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;serviceaccounts&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;impersonate&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;policy&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;podsecuritypolicies&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resourceNames: [&#34;tekton-triggers&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;use&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: RoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: Role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-minimal </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-clusterrole </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # EventListeners need to be able to fetch any clustertriggerbindings </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;triggers.tekton.dev&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;clustertriggerbindings&#34;, &#34;clusterinterceptors&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;watch&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-clusterbinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-clusterrole </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>And here is the poddeleter serviceAccount:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pods&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><h5 id="event-listener">Event listener</h5> <p>Finally time to configure the tekton webhook receiver. Just like rest of Tekton the event listener builds on multiple parts.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: triggers.tekton.dev/v1alpha1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: EventListener </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-listener </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> serviceAccountName: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44"> triggers: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: cel-trig </span></span></span><span style="display:flex;"><span><span style="color:#b44"> bindings: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - ref: falco-pod-delete-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44"> template: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> ref: falco-pod-delete-trigger-template </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>It is possible to expose a event listener using a ingress, this is a rather normal use case if you want github to trigger a pipeline for example.</p> <blockquote> <p>I cannot stress this enough DO <strong>NOT</strong> MAKE THE EVENT LISTENER PUBLIC TO THE INTERNET. We haven't added any protection and this task have the power to kill pods in your cluster. Don't give a potential hacker this power!</p> </blockquote> <p>The event listener is rather complex and can do <a href="https://tekton.dev/docs/triggers/eventlisteners/">allot</a>. For example one way to improve this tekton pipeline could be to check for a specific Priority from Falco. This could be done with a <a href="https://tekton.dev/docs/triggers/eventlisteners/#cel-interceptors">cel interceptor</a> and filter on body.Priority.</p> <p>But for now let us just trigger on everything.</p> <p>The triggerBinding let us you define what data should be gathered from the incoming webhook. In this case I take the entire request body.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: triggers.tekton.dev/v1alpha1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: TriggerBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(body) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>We use the TriggerTemplate to call on the pipeline that we defined earlier using the parameter that the TriggerBinding gives us.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: triggers.tekton.dev/v1alpha1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: TriggerTemplate </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-trigger-template </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44"> annotations: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> triggers.tekton.dev/old-escape-quotes: &#34;true&#34; </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> description: The entire msg from falco </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resourcetemplates: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiVersion: tekton.dev/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: PipelineRun </span></span></span><span style="display:flex;"><span><span style="color:#b44"> metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> generateName: falco-pod-delete-pipeline-run- </span></span></span><span style="display:flex;"><span><span style="color:#b44"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> serviceAccountName: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> pipelineRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete-pipeline </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(tt.params.falco-event) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><blockquote> <p>Notice the <a href="https://tekton.dev/docs/triggers/triggertemplates/#escaping-quoted-strings">annotations</a>, without it the pipeline will never get triggered.</p> </blockquote> <p>We define the serviceAccount to use in our pipeline/task, point to the pipeline that we should use. And what parameter to send down to the pipeline, notice the <strong>tt</strong> in front of parma. This is special syntax for TriggerBindings.</p> <p>The triggerTemplate was the final piece needed and you should see a pod spinning up in the falcoresponse namespace.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n falcoresponse </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>el-falco-listener-557786f598-zdmw2 1/1 Running <span style="color:#666">0</span> 2h </span></span></code></pre></div><h3 id="trigger-job">Trigger job</h3> <p>Finally it's time to test our setup.</p> <p>I would recommend that you start a second terminal for this part.</p> <p><strong>Terminal 1</strong> follow the falco logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs -f <span style="color:#a2f;font-weight:bold">$(</span>kubectl get pods -l <span style="color:#b8860b">app</span><span style="color:#666">=</span>falco -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.items[0].metadata.name}&#34;</span> -n falco<span style="color:#a2f;font-weight:bold">)</span> -n falco </span></span></code></pre></div><p><strong>Terminal 2</strong> let us trigger the Terminal Shell in container falco rule</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Start a alpine pod</span> </span></span><span style="display:flex;"><span>kubectl run alpine --namespace falcoresponse --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Trigger the rule breaking behavior</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace falcoresponse -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Watch for pods in falcoresponse namespace</span> </span></span><span style="display:flex;"><span>kubectl get pods -n falcoresponse -w </span></span></code></pre></div><p>In <strong>Terminal 1</strong> you should see something like this:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-txt" data-lang="txt"><span style="display:flex;"><span>* Setting up /usr/src links from host </span></span><span style="display:flex;"><span>* Running falco-driver-loader for: falco version=0.28.0, driver version=5c0b863ddade7a45568c0ac97d037422c9efb750 </span></span><span style="display:flex;"><span>* Running falco-driver-loader with: driver=module, compile=yes, download=yes </span></span><span style="display:flex;"><span>* Unloading falco module, if present </span></span><span style="display:flex;"><span>* Trying to load a system falco module, if present </span></span><span style="display:flex;"><span>* Success: falco module found and loaded with modprobe </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Falco version 0.28.0 (driver version 5c0b863ddade7a45568c0ac97d037422c9efb750) </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Falco initialized with configuration file /etc/falco/falco.yaml </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Loading rules from file /etc/falco/falco_rules.yaml: </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Loading rules from file /etc/falco/falco_rules.local.yaml: </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Loading rules from file /etc/falco/rules.d/rules_user_known_k8s_api_callers.yaml: </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Starting internal webserver, listening on port 8765 </span></span><span style="display:flex;"><span>{&#34;output&#34;:&#34;20:24:10.361728219: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=falcoresponse k8s.pod=alpine container=6ac7d190134e shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=6ac7d190134e image=alpine) k8s.ns=falcoresponse k8s.pod=alpine container=6ac7d190134e k8s.ns=falcoresponse k8s.pod=alpine container=6ac7d190134e&#34;,&#34;priority&#34;:&#34;Notice&#34;,&#34;rule&#34;:&#34;Terminal shell in container&#34;,&#34;time&#34;:&#34;2021-05-02T20:24:10.361728219Z&#34;, &#34;output_fields&#34;: {&#34;container.id&#34;:&#34;6ac7d190134e&#34;,&#34;container.image.repository&#34;:&#34;alpine&#34;,&#34;evt.time&#34;:1619987050361728219,&#34;k8s.ns.name&#34;:&#34;falcoresponse&#34;,&#34;k8s.pod.name&#34;:&#34;alpine&#34;,&#34;proc.cmdline&#34;:&#34;sh -c uptime&#34;,&#34;proc.name&#34;:&#34;sh&#34;,&#34;proc.pname&#34;:&#34;runc&#34;,&#34;proc.tty&#34;:34816,&#34;user.loginuid&#34;:-1,&#34;user.name&#34;:&#34;root&#34;}} </span></span></code></pre></div><p>In <strong>Terminal 2</strong> you should see a pod starting and hopefully Complete without any errors and the alpine pod getting killed.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 0/1 Terminating <span style="color:#666">0</span> 1m7s </span></span><span style="display:flex;"><span>el-falco-listener-557786f598-znzk9 1/1 Running <span style="color:#666">0</span> 10m </span></span><span style="display:flex;"><span>falco-pod-delete-pipeline-run-w2vf8-run-pod-delete-jlxl7--mk44k 0/1 Completed <span style="color:#666">0</span> 59s </span></span></code></pre></div><blockquote> <p>Hurray our &quot;hacked&quot; pod have been killed</p> </blockquote> <p>If you look in the logs of the task</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs -f <span style="color:#a2f;font-weight:bold">$(</span>kubectl get pods -l tekton.dev/task<span style="color:#666">=</span>pod-delete -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.items[0].metadata.name}&#34;</span> -n falcoresponse<span style="color:#a2f;font-weight:bold">)</span> -n falcoresponse </span></span><span style="display:flex;"><span>2021/05/02 18:11:00 PodName: alpine &amp; Namespace: falcoresponse </span></span><span style="display:flex;"><span>2021/05/02 18:11:00 Rule: Terminal shell in container </span></span><span style="display:flex;"><span>2021/05/02 18:11:00 Deleting pod alpine from namespace falcoresponse </span></span></code></pre></div><h3 id="conclusion">Conclusion</h3> <p>This was a rather simple example on how we can use the power of tekton together with Falco to protect us from bad actors that is trying to take over pods in our cluster.</p> <p>As noted during this post there are a lot of potential improvements before this is production ready:</p> <ul> <li>The criticalNamespaces in our go code is currently hard-coded and needs to be input variable of some kind.</li> <li>We need to be able to delete pods depending on priority level, rule or something similar.</li> <li>To be able to debug pods we might need to shell in to them, we need a way to ignore pods temporary without the pod getting restarted. Probably a annotation to look for in the pod before deleting it.</li> <li>And probably many other needs that you can come up with.</li> </ul> <p>If you have any ideas/issues come and share them in the falco slack <a href="https://kubernetes.slack.com">https://kubernetes.slack.com</a> #falco.</p> <h4 id="tekton">Tekton</h4> <p>If you would like to find out more about Tekton:</p> <ul> <li>Get started in <a href="https://tekton.dev/">tekton.dev</a>.</li> <li>Check out the <a href="https://github.com/tektoncd">Tekton Project in GitHub</a>.</li> <li>Meet the maintainers on the <a href="https://tektoncd.slack.com//">TektonCD Slack</a>.</li> <li>Follow <a href="https://twitter.com/tektoncd">@tektoncd on Twitter</a>.</li> </ul> <h4 id="falco">Falco</h4> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="https://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 3: Falcosidekick + Knativehttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/Thu, 13 May 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>As the Cloud Native ecosystem grows and the idea that an integrator can browse the offerings and slap them together like an a la carte menu resonates. We call this <em>Thinking Cloud Native</em>.</p> <p><a href="http://falco.org/">Falco</a> already produced events, but in the form of a webhook with bespoke payloads, which is fine, unless you would like to integrate into an ecosystem for event routing. To enable this for Falco we had to think about how these events are moved from producer to consumer via something else. Enter: CloudEvents.</p> <p>What is CloudEvents? It is a specification for translating an event and the metadata onto a specific protocol and back. What? It lets you think about the event in a generic way without it being tied to particular choices the integration is making today, and with minor effort CloudEvents lets that integration change the protocol choice without changing the meaning of the event.</p> <p>This lossless property of CloudEvents means the integrator is free to choose middleware that also speaks CloudEvents and has its own choices of persistence and protocol, but the consumer of the event need not be aware of these translations that have happened between the producer and consumer.</p> <p>There are several choices that support CloudEvents today: Serverless.com Event Gateway, Argo, Google Cloud Pub/Sub, Azure Event Grid, and Knative Eventing. A more full list is at the <a href="https://github.com/cloudevents/spec/blob/v1.0.1/community/open-source.md">cloudevents/spec repo</a>.</p> <p>For this blog post, we are going to focus in on Falco+Knative and see what we can do with that a la carte selection.</p> <h2 id="falco-knative">Falco+Knative</h2> <p>What is Knative? It is two things: Knative Serving and Knative Eventing. Serving provides a container based scale to zero, scale real big functionality; as well as rainbow deploys, auto-TLS, domain mappings, and various knobs to control concurrency and scale traits. Eventing provides a thin abstraction on top of traditional message brokers (think Kafka or AMQP) that lets you compose your application without considering the message persistence choices in the moment (CloudEvents).</p> <p>From Knative Eventing, we will use two components: Broker and Trigger. A Knative Eventing Broker represents a event delivery and persistence layer, sort of an eventing mesh. A Knative Eventing Trigger works with the Broker to ask that a consumer be involved with a CloudEvent that matches some specified attributes. So the Broker is the stream of events, the Trigger is how you select events out of the stream and get them delivered.</p> <p>With Falco producing CloudEvents, we can point our alerts from Falco at the Knative Eventing Broker. Then create a Trigger that selects the Falco event we want to react to. But we also need something to consume the event and react!</p> <p>From Knative Serving, we can leverage a Knative Serving Service (KService). A KService looks like a lot like a Kubernetes deployment, but it is realized on the cluster as an autoscaling and routable component without the need for manually creating additional Kubernetes Services. KService can run any container as long as it is stateless, and the lifecycle is defined only in the context of an active HTTP request.</p> <p>To tie this up in a picture,</p> <pre tabindex="0"><code>Falco --[via Sidekick]--&gt; Broker --[via Trigger]--&gt; KService </code></pre><p>We are free to make the subscriber of the Trigger be <em>anything</em> we want it to be as long as it is routable from the Broker, and it accepts HTTP POSTs. The request will be a CloudEvent in Binary mode, and Falco makes JSON events, so the payload will be the standard JSON Falco is known for. In-fact, we can replace the KService in with a <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubeless function</a> and it will work.</p> <h2 id="demo">Demo</h2> <p>To demonstrate this, we have prepared a simple example: We will detect root shell creations and delete that pod.</p> <h3 id="prerequisites">Prerequisites</h3> <ul> <li><a href="https://multipass.run/">multipass</a></li> <li><a href="https://kubernetes.io/">Kubernetes</a>,</li> <li><a href="https://kubernetes.io/docs/tasks/tools/#kubectl">kubectl</a></li> <li><a href="https://helm.sh/docs/intro/install/">Helm</a></li> </ul> <h3 id="k3s-cluster">K3s Cluster</h3> <p>For this blog post, we a will show the demo using k3s using multipass. Here is a cluster creation commands:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>multipass launch --name k3s-leader --cpus <span style="color:#666">2</span> --mem 2048M --disk 10G </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>multipass <span style="color:#a2f">exec</span> k3s-leader -- /bin/bash -c <span style="color:#b44">&#34;curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=644 sh -&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">K3S_IP_SERVER</span><span style="color:#666">=</span><span style="color:#b44">&#34;https://</span><span style="color:#a2f;font-weight:bold">$(</span>multipass info k3s-leader | grep <span style="color:#b44">&#34;IPv4&#34;</span> | awk -F<span style="color:#b44">&#39; &#39;</span> <span style="color:#b44">&#39;{print $2}&#39;</span><span style="color:#a2f;font-weight:bold">)</span><span style="color:#b44">:6443&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>multipass <span style="color:#a2f">exec</span> k3s-leader -- /bin/bash -c <span style="color:#b44">&#34;cat /etc/rancher/k3s/k3s.yaml&#34;</span> | sed <span style="color:#b44">&#34;s%https://127.0.0.1:6443%</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">K3S_IP_SERVER</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">%g&#34;</span> | sed <span style="color:#b44">&#34;s/default/k3s/g&#34;</span> &gt; ./k3s.yaml </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">KUBECONFIG</span><span style="color:#666">=</span>./k3s.yaml </span></span></code></pre></div><p>You should get this final output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>╯°□°<span style="color:#666">)</span>╯︵ multipass launch --name k3s-leader --cpus <span style="color:#666">2</span> --mem 2048M --disk 10G </span></span><span style="display:flex;"><span>Launched: k3s-leader </span></span><span style="display:flex;"><span><span style="color:#666">(</span>╯°□°<span style="color:#666">)</span>╯︵ multipass <span style="color:#a2f">exec</span> k3s-leader -- /bin/bash -c <span style="color:#b44">&#34;curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=644 sh -&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Finding release <span style="color:#a2f;font-weight:bold">for</span> channel stable </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Using v1.20.6+k3s1 as release </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Downloading <span style="color:#a2f">hash</span> https://github.com/k3s-io/k3s/releases/download/v1.20.6+k3s1/sha256sum-amd64.txt </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.20.6+k3s1/k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Verifying binary download </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Installing k3s to /usr/local/bin/k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating /usr/local/bin/kubectl symlink to k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating /usr/local/bin/crictl symlink to k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating /usr/local/bin/ctr symlink to k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating killall script /usr/local/bin/k3s-killall.sh </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating uninstall script /usr/local/bin/k3s-uninstall.sh </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> env: Creating environment file /etc/systemd/system/k3s.service.env </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> systemd: Creating service file /etc/systemd/system/k3s.service </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> systemd: Enabling k3s unit </span></span><span style="display:flex;"><span>Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> systemd: Starting k3s </span></span></code></pre></div><p>Now we have a bare bones k3s cluster!</p> <h3 id="install-knative">Install Knative</h3> <p>To install the rest of Knative into k3s:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Installs Knative Serving</span> </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/serving/releases/download/v0.22.0/serving-crds.yaml </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">wait</span> --for<span style="color:#666">=</span><span style="color:#b8860b">condition</span><span style="color:#666">=</span>Established --all crd </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/serving/releases/download/v0.22.0/serving-core.yaml </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/net-kourier/releases/download/v0.22.0/kourier.yaml </span></span><span style="display:flex;"><span>kubectl patch configmap/config-network <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace knative-serving <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --type merge <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --patch <span style="color:#b44">&#39;{&#34;data&#34;:{&#34;ingress.class&#34;:&#34;kourier.ingress.networking.knative.dev&#34;}}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Installs Knative Eventing</span> </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/eventing-crds.yaml </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">wait</span> --for<span style="color:#666">=</span><span style="color:#b8860b">condition</span><span style="color:#666">=</span>Established --all crd </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/eventing-core.yaml </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/in-memory-channel.yaml </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/mt-channel-broker.yaml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Creates a default Broker</span> </span></span><span style="display:flex;"><span>kubectl create -f - <span style="color:#b44">&lt;&lt;EOF </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: eventing.knative.dev/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Broker </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: default </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>See also <a href="https://knative.dev/docs/install/any-kubernetes-cluster/">knative.dev install instructions</a> for installing these into your own cluster.</p> <h3 id="falco-falcosidekick-sidekick-ui">Falco/Falcosidekick/sidekick UI</h3> <p>We'll use helm to install <code>Falco</code> ,<code>Falcosidekick</code> and <code>Falcosidekick UI</code>.</p> <p>First, add the falcosecurity <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, will try to keep thing as easy as possible and set configs directly by <code>helm install</code> command:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --create-namespace --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> --set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.config.cloudevents.address<span style="color:#666">=</span>http://broker-ingress.knative-eventing.svc.cluster.local/default/default </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Thu Jan <span style="color:#666">14</span> 23:43:46 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code>,<code>Falco Sidekick</code>,<code>Falco Sidekick UI</code> pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-jh75c 1/1 Running <span style="color:#666">0</span> 1d </span></span><span style="display:flex;"><span>falco-falcosidekick-554b8859d5-v9xkg 1/1 Running <span style="color:#666">0</span> 1d </span></span><span style="display:flex;"><span>falco-falcosidekick-554b8859d5-x2zkk 1/1 Running <span style="color:#666">0</span> 1d </span></span><span style="display:flex;"><span>falco-falcosidekick-ui-5d747688f9-g96x5 1/1 Running <span style="color:#666">11</span> 1d </span></span></code></pre></div><p>The arguments <code>--set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true</code> enables Falcosidekick and the UI as the below shows:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/falcosidekick-ui-colors.png" alt="falcosidekick ui" loading="lazy" /> </p> <p>You can now test it with a typical port-forwarding:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl port-forward svc/falco-falcosidekick-ui -n falco 2802:2802 </span></span></code></pre></div><h3 id="drop-demo">Drop demo</h3> <p>Install the demo with:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl apply -f https://github.com/n3wscott/falco-drop/releases/download/v0.1.0/release.yaml </span></span></code></pre></div><p>This will install a <a href="https://knative.dev/docs/serving/#serving-resources">Knative Service</a> that will consume the Falco events sent by falcosidekick (to the broker), some <a href="https://github.com/n3wscott/falco-drop/blob/v0.1.0/config/rbac.yaml">RBAC</a> to enable that service to delete pods, and a Knative Trigger to register this consumer for events from the <a href="https://knative.dev/docs/eventing/broker/">Knative Eventing Broker</a>.</p> <h4 id="consumer-kservice">Consumer KService</h4> <p>The simplified go code in use is like the following:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">main</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#666">...</span>setup<span style="color:#bbb"> </span>context<span style="color:#666">...</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kc<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeclient.<span style="color:#00a000">Get</span>(ctx)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Make a CloudEvents Client.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>c,<span style="color:#bbb"> </span>_<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>cloudevents.<span style="color:#00a000">NewDefaultClient</span>(p)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// StartReceiver is blocking, it will deliver events to the inline function.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>c.<span style="color:#00a000">StartReceiver</span>(ctx,<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">func</span>(event<span style="color:#bbb"> </span>cloudevents.Event)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Filter based on source and type.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>event.<span style="color:#00a000">Source</span>()<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;falco.org&#34;</span><span style="color:#bbb"> </span><span style="color:#666">&amp;&amp;</span><span style="color:#bbb"> </span>event.<span style="color:#00a000">Type</span>()<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;falco.rule.output.v1&#34;</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Extract the Falco event Payload</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>payload<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#666">&amp;</span>FalcoPayload{}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>event.<span style="color:#00a000">DataAs</span>(payload);<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Only react to &#34;Terminal shell in container&#34; triggered rules.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>payload.Rule<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;Terminal shell in container&#34;</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kc.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(payload.Fields.Namespace).<span style="color:#00a000">Delete</span>(ctx,<span style="color:#bbb"> </span>payload.Fields.Pod,<span style="color:#bbb"> </span>metav1.DeleteOptions{});<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Println</span>(<span style="color:#b44">&#34;failed to delete pod from event:&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;[%s] deleted %s from %s because %s\n&#34;</span>,<span style="color:#bbb"> </span>payload.Rule,<span style="color:#bbb"> </span>payload.Fields.Pod,<span style="color:#bbb"> </span>payload.Fields.Namespace,<span style="color:#bbb"> </span>payload.Output)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>The full implementation can be found in the <a href="https://github.com/n3wscott/falco-drop/blob/main/cmd/drop/main.go">falco-drop</a> repo.</p> <blockquote> <p>Pro-tip: if you are developing in Go for Kubernetes, take a look at <a href="https://github.com/google/ko">ko</a>. <code>ko</code> enables containerizing go applications without needing a Dockerfile.</p> </blockquote> <p>Even though the Trigger only delivers events that match the Trigger filter, it is a good idea to validate the event that the function is receiving, which is why we are validating again in the above code (trust, but verify).</p> <h4 id="eventing-triggers">Eventing Triggers</h4> <p>The Trigger configures the Broker for a subscriber to be invoked when the Broker ingresses an event that matches the <code>spec.filter</code> settings.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>eventing.knative.dev/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>Trigger<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>drop<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">namespace</span>:<span style="color:#bbb"> </span>default<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">spec</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">broker</span>:<span style="color:#bbb"> </span>default<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">filter</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">attributes</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">source</span>:<span style="color:#bbb"> </span>falco.org<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">type</span>:<span style="color:#bbb"> </span>falco.rule.output.v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">subscriber</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">ref</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>serving.knative.dev/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>Service<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>drop<span style="color:#bbb"> </span></span></span></code></pre></div><blockquote> <p>Note: the <code>kind: Service, name: drop</code> resource is the Knative Service we created above.</p> </blockquote> <p>Here we are requesting that the broker only deliver events that have the attributes (CloudEvent attributes) of <code>source=falco.org</code> and <code>type=falco.rule.output.v1</code>. These events are delivered to our subscriber KService.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/knative-drop-graph.png" alt="Eventing Topology" loading="lazy" /> </p> <p>Want to learn how that <code>spec.subscriber.ref</code> works?! It is <a href="https://en.wikipedia.org/wiki/Duck_typing">duck typing</a> <a href="https://docs.google.com/document/d/1Bud636dMcAQjXe6xfOMBzT0YYqOj1rx3EELxrq2YQv8/edit#heading=h.7o4a6nr4d1sv">and</a> <a href="https://docs.google.com/document/d/e/2PACX-1vQeYowntWI4U8yN19Esf0mK8HiY0Cf1XhbbfzLpnLzGcWqhWHwpqNFH7FqDQGTIAHqz4iFP7dPIBKvG/pub">you</a> <a href="https://github.com/knative/pkg/tree/master/apis/duck#duck-types">can</a> <a href="https://www.youtube.com/watch?v=Mb8c5SP-Sw0">learn</a> <a href="https://www.youtube.com/watch?v=kldVg63Utuw">more</a>, but tl;dr: it is basically doing this (except fancy),</p> <pre tabindex="0"><code>kubectl get ksvc drop -o jsonpath=&#39;{.status.address.url}&#39; </code></pre><h3 id="test">Test</h3> <p>First we will create a pod that we can execute code on later:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span></code></pre></div><p>You should see two pods runing, <code>drop-00001-*</code> and a <code>alpine</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>╯°□°<span style="color:#666">)</span>╯︵ kubectl get pods </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>drop-00001-deployment-6b4c5d8bb-m8q4z 2/2 Running <span style="color:#666">0</span> 4m9s </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 39s </span></span></code></pre></div><p>Next, we will execute a command in that <code>alpine</code> pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span></code></pre></div><p>The <code>alpine</code> pod will be terminated by the drop function once the events are processed:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>╯°□°<span style="color:#666">)</span>╯︵ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span><span style="display:flex;"><span><span style="color:#666">(</span>╯°□°<span style="color:#666">)</span>╯︵ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> 19:29:29 up <span style="color:#666">17</span> min, load average: 0.90, 0.85, 0.59 </span></span><span style="display:flex;"><span><span style="color:#666">(</span>╯°□°<span style="color:#666">)</span>╯︵ kubectl get pods </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>drop-00001-deployment-6b4c5d8bb-m8q4z 2/2 Running <span style="color:#666">0</span> 10m </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 5s </span></span></code></pre></div><p>Or simply start a hanging shell:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl run alpine-alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine-hang --namespace default -- sh </span></span></code></pre></div><p>And the shell will be closed:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>╯°□°<span style="color:#666">)</span>╯︵ kubectl <span style="color:#a2f">exec</span> -i --tty alpine-hang --namespace default -- sh </span></span><span style="display:flex;"><span>/ <span style="color:#080;font-style:italic"># command terminated with exit code 137</span> </span></span></code></pre></div><p>The event that the drop function is reacting to is a CloudEvent that looks something like this:</p> <pre tabindex="0"><code>Context Attributes, specversion: 1.0 type: falco.rule.output.v1 source: falco.org id: f7628198-3822-4c98-ac3f-71770e272a16 time: 2021-01-11T23:46:19.82302759Z datacontenttype: application/json Extensions, foo: bar priority: Notice rule: Terminal shell in container Data, { &#34;output&#34;: &#34;23:46:19.823027590: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=f29b261f8831 shell=bash parent=runc cmdline=bash -il terminal=34816 container_id=f29b261f8831 image=mysql) k8s.ns=default k8s.pod=mysql-db-7d59548d75-wh44s container=f29b261f8831&#34;, &#34;priority&#34;: &#34;Notice&#34;, &#34;rule&#34;: &#34;Terminal shell in container&#34;, &#34;time&#34;: &#34;2021-01-11T23:46:19.82302759Z&#34;, &#34;output_fields&#34;: { &#34;container.id&#34;: &#34;f29b261f8831&#34;, &#34;container.image.repository&#34;: &#34;mysql&#34;, &#34;evt.time&#34;: 1610408779823027700, &#34;k8s.ns.name&#34;: &#34;default&#34;, &#34;k8s.pod.name&#34;: &#34;alpine&#34;, &#34;proc.cmdline&#34;: &#34;bash -il&#34;, &#34;proc.name&#34;: &#34;bash&#34;, &#34;proc.pname&#34;: &#34;runc&#34;, &#34;proc.tty&#34;: 34816, &#34;user.loginuid&#34;: -1, &#34;user.name&#34;: &#34;root&#34; } } </code></pre><p>The KService consumes this event and simply deletes the pod. You can also see this activity in the <a href="http://localhost:2802/ui/#/">falcosidekick UI</a>.</p> <h2 id="conclusion">Conclusion</h2> <p>Thinking Cloud Native is a mindset of picking the right tool for the job and assembling these tools into something greater than their parts. Falco is a great tool for detection and alerts, it gets really interesting once we can react to those events in ways we never imagined, because integrators are creative and innovative.</p> <p>What will you build?</p> <h3 id="knative">Knative</h3> <p>If you would like to find out more about Knative:</p> <ul> <li>Get started in <a href="http://knative.dev/">knative.dev</a>.</li> <li>Check out the <a href="https://github.com/knative">Knative Project in GitHub</a>.</li> <li>Meet the maintainers on the <a href="https://slack.knative.dev/">Knative Slack</a>.</li> <li>Follow <a href="https://twitter.com/KnativeProject">@KnativeProject on Twitter</a>.</li> </ul> <h3 id="falco">Falco</h3> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 2: Falcosidekick + OpenFaashttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/Sun, 11 Apr 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>We recently talked about a concept called <em>&quot;Kubernetes Response Engine&quot;</em>, and we achieved this by using <code>Falco</code></p> <ul> <li><code>Falcosidekick</code> + <code>Kubeless</code>. But as you might guess, <code>Falcosidekick</code> project is evolving day after day, which means new outputs are added. With the release <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.22.0"><code>2.22.0</code></a>, we are proud to support <a href="https://www.openfaas.com"><code>OpenFaaS</code></a> as a new output for <em>Falcosidekick</em>. This allows us to achieve the same concept, <em>&quot;Kubernetes Response Engine&quot;</em>, but this time by using <em>&quot;OpenFaaS&quot;</em> instead of <em>&quot;Kubeless&quot;</em>.</li> </ul> <p>In this blog post, we will explain the basic concepts for integrating your own Response Engine into K8S with the stack <code>Falco</code> + <code>Falcosidekick</code> + <code>OpenFaaS</code>.</p> <h2 id="prerequisites">Prerequisites</h2> <p>We need tools with the following minimum versions to achieve this demo:</p> <ul> <li>Minikube v1.19.0</li> <li>Helm v3.5.3</li> <li>kubectl v1.21.0</li> <li>arkade v0.7.13</li> <li>faas-cli v0.13.9</li> </ul> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <p>There are various ways to provision a local Kubernetes cluster such as, KinD, k3s, k0s, Minikube etc. We are going to use Minikube in this walkthrough.</p> <p>Let's get provisioned a local Kubernetes cluster:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ minikube start --cpus <span style="color:#666">3</span> --memory <span style="color:#666">8192</span> --vm-driver virtualbox </span></span><span style="display:flex;"><span>😄 minikube v1.19.0 on Darwin 10.15.7 </span></span><span style="display:flex;"><span>✨ Using the virtualbox driver based on user configuration </span></span><span style="display:flex;"><span>👍 Starting control plane node minikube in cluster minikube </span></span><span style="display:flex;"><span>🔥 Creating virtualbox VM <span style="color:#666">(</span><span style="color:#b8860b">CPUs</span><span style="color:#666">=</span>3, <span style="color:#b8860b">Memory</span><span style="color:#666">=</span>8192MB, <span style="color:#b8860b">Disk</span><span style="color:#666">=</span>20000MB<span style="color:#666">)</span> ... </span></span><span style="display:flex;"><span>🐳 Preparing Kubernetes v1.20.2 on Docker 20.10.4 ... </span></span><span style="display:flex;"><span> ▪ Generating certificates and keys ... </span></span><span style="display:flex;"><span> ▪ Booting up control plane ... </span></span><span style="display:flex;"><span> ▪ Configuring RBAC rules ... </span></span><span style="display:flex;"><span>🔎 Verifying Kubernetes components... </span></span><span style="display:flex;"><span> ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5 </span></span><span style="display:flex;"><span>🌟 Enabled addons: storage-provisioner, default-storageclass </span></span><span style="display:flex;"><span>🏄 Done! kubectl is now configured to use <span style="color:#b44">&#34;minikube&#34;</span> cluster and <span style="color:#b44">&#34;default&#34;</span> namespace by default </span></span></code></pre></div><h2 id="install-openfaas">Install OpenFaaS</h2> <p>OpenFaaS can be deployed into a variety of container orchestrators like Kubernetes, OpenShift, Docker Swarm or into a single host with faasd.</p> <p>Follow the official documentation for <a href="https://docs.openfaas.com/deployment/kubernetes/">deploying OpenFaaS to Kubernetes</a>.</p> <p>The fastest option is the tool called <a href="https://github.com/alexellis/arkade">arkade</a> to deploy OpenFaaS:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ arkade install openfaas </span></span><span style="display:flex;"><span>Using Kubeconfig: /Users/batuhan.apaydin/.kube/config </span></span><span style="display:flex;"><span>Client: x86_64, Darwin </span></span><span style="display:flex;"><span>2021/04/10 21:39:29 User dir established as: /Users/batuhan.apaydin/.arkade/ </span></span><span style="display:flex;"><span><span style="color:#b44">&#34;openfaas&#34;</span> already exists with the same configuration, skipping </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Hang tight <span style="color:#a2f;font-weight:bold">while</span> we grab the latest from your chart repositories... </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;falcosecurity&#34;</span> chart repository </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;openfaas&#34;</span> chart repository </span></span><span style="display:flex;"><span>Update Complete. ⎈Happy Helming!⎈ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>VALUES values.yaml </span></span><span style="display:flex;"><span>Command: /Users/batuhan.apaydin/.arkade/bin/helm <span style="color:#666">[</span>upgrade --install openfaas openfaas/openfaas --namespace openfaas --values /var/folders/pf/6h9t0mnd4d342ncgpjq_3zl80000gp/T/charts/openfaas/values.yaml --set queueWorker.replicas<span style="color:#666">=</span><span style="color:#666">1</span> --set queueWorker.maxInflight<span style="color:#666">=</span><span style="color:#666">1</span> --set <span style="color:#b8860b">clusterRole</span><span style="color:#666">=</span><span style="color:#a2f">false</span> --set operator.create<span style="color:#666">=</span><span style="color:#a2f">false</span> --set faasnetes.imagePullPolicy<span style="color:#666">=</span>Always --set basicAuthPlugin.replicas<span style="color:#666">=</span><span style="color:#666">1</span> --set gateway.replicas<span style="color:#666">=</span><span style="color:#666">1</span> --set gateway.directFunctions<span style="color:#666">=</span><span style="color:#a2f">false</span> --set <span style="color:#b8860b">openfaasImagePullPolicy</span><span style="color:#666">=</span>IfNotPresent --set ingressOperator.create<span style="color:#666">=</span><span style="color:#a2f">false</span> --set <span style="color:#b8860b">basic_auth</span><span style="color:#666">=</span><span style="color:#a2f">true</span> --set <span style="color:#b8860b">serviceType</span><span style="color:#666">=</span>NodePort<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>Release <span style="color:#b44">&#34;openfaas&#34;</span> does not exist. Installing it now. </span></span><span style="display:flex;"><span>NAME: openfaas </span></span><span style="display:flex;"><span>LAST DEPLOYED: Sat Apr <span style="color:#666">10</span> 21:39:37 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: openfaas </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>To verify that openfaas has started, run: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> kubectl -n openfaas get deployments -l <span style="color:#b44">&#34;release=openfaas, app=openfaas&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#666">=======================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#666">=</span> OpenFaaS has been installed. <span style="color:#666">=</span> </span></span><span style="display:flex;"><span><span style="color:#666">=======================================================================</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Get the faas-cli</span> </span></span><span style="display:flex;"><span>curl -SLsf https://cli.openfaas.com | sudo sh </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Forward the gateway to your machine</span> </span></span><span style="display:flex;"><span>kubectl rollout status -n openfaas deploy/gateway </span></span><span style="display:flex;"><span>kubectl port-forward -n openfaas svc/gateway 8080:8080 &amp; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># If basic auth is enabled, you can now log into your gateway:</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">PASSWORD</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get secret -n openfaas basic-auth -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.data.basic-auth-password}&#34;</span> | base64 --decode; <span style="color:#a2f">echo</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#a2f">echo</span> -n <span style="color:#b8860b">$PASSWORD</span> | faas-cli login --username admin --password-stdin </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>faas-cli store deploy figlet </span></span><span style="display:flex;"><span>faas-cli list </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># For Raspberry Pi</span> </span></span><span style="display:flex;"><span>faas-cli store list <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --platform armhf </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>faas-cli store deploy figlet <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --platform armhf </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Find out more at:</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># https://github.com/openfaas/faas</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Thanks <span style="color:#a2f;font-weight:bold">for</span> using arkade! </span></span></code></pre></div><p>Check if everything is working before moving onto the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace openfaas </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alertmanager-74f9b48464-7gvrj 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>basic-auth-plugin-54bbd886f5-fclgn 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>gateway-6f8f5d5c87-tbxns 2/2 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>nats-695bf7587-hcbc2 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>prometheus-577c65f58c-4nvm7 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>queue-worker-b45b85966-g7kpt 1/1 Running <span style="color:#666">0</span> 2m13s </span></span></code></pre></div><p>Now, it is time to deploy our function. The function we are going to deploy basically receives events for an infected pod from the <em>Falcosidekick</em> and deletes it immediately. Before deploying the function we need some permissions to delete Pod. We create a <code>ServiceAccount</code> with right to delete a Pod in any namespace, and we'll associate it to our function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: openfaas-fn </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pods&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: openfaas-fn </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>Now, we are ready to deploy our <em>falco-pod-delete</em> function, log in into <em>OpenFaaS Gateway</em> first:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl port-forward -n openfaas svc/gateway 8080:8080 &amp; </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">PASSWORD</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get secret -n openfaas basic-auth -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.data.basic-auth-password}&#34;</span> | base64 --decode; <span style="color:#a2f">echo</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">$echo</span> -n <span style="color:#b8860b">$PASSWORD</span> | faas-cli login --username admin --password-stdin </span></span><span style="display:flex;"><span>Calling the OpenFaaS server to validate the credentials... </span></span><span style="display:flex;"><span>credentials saved <span style="color:#a2f;font-weight:bold">for</span> admin http://127.0.0.1:8080 </span></span></code></pre></div><h2 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h2> <p>Firstly, we'll create the namespace that will host both <code>Falco</code> and <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl create namespace falco </span></span></code></pre></div><p>We add the <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span><span style="color:#b44">&#34;falcosecurity&#34;</span> has been added to your repositories </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>Hang tight <span style="color:#a2f;font-weight:bold">while</span> we grab the latest from your chart repositories... </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;falcosecurity&#34;</span> chart repository </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;openfaas&#34;</span> chart repository </span></span><span style="display:flex;"><span>Update Complete. ⎈Happy Helming!⎈ </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, will try to keep thing as easy as possible and set configs directly by passing arguments to <code>helm install</code> command line:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm upgrade --install falco falcosecurity/falco --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.openfaas.functionname<span style="color:#666">=</span><span style="color:#b44">&#34;falco-pod-delete&#34;</span> </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>Release <span style="color:#b44">&#34;falco&#34;</span> does not exist. Installing it now. </span></span><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Tue Apr <span style="color:#666">13</span> 10:49:49 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code> and <code>Falcosidekick</code>pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-falcosidekick-7779579477-mwsb4 1/1 Running <span style="color:#666">0</span> 67s </span></span><span style="display:flex;"><span>falco-falcosidekick-7779579477-n5v89 1/1 Running <span style="color:#666">0</span> 67s </span></span><span style="display:flex;"><span>falco-p97rw 1/1 Running <span style="color:#666">0</span> 67s </span></span></code></pre></div><p>The argument <code>falcosidekick.enabled=true</code> sets the following settings in <em>Falco</em> for you:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>--set falco.jsonOutput<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.url<span style="color:#666">=</span>http://falco-falcosidekick:2801 </span></span></code></pre></div><p>The arguments <code>--set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falco-falcosidekick:2801</code> are there to configure the format of events and the URL where <code>Falco</code> will send them. As <code>Falco</code> and <code>Falcosidekick</code> will be in the same namespace, it can directly use the name of the service (<code>falco-falcosidekick</code>) above <code>Falcosidekick</code> pods.</p> <p>We check the logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick -n falco </span></span><span style="display:flex;"><span>Found <span style="color:#666">2</span> pods, using pod/falcosidekick-5c696d7fd8-9bnnj </span></span><span style="display:flex;"><span>2021/04/10 19:21:55 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : <span style="color:#666">[</span>OpenFaaS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>2021/04/10 19:21:55 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on :2801 </span></span></code></pre></div><p><code>OpenFaaS</code> is displayed as enabled output, everything is good 👍.</p> <h2 id="install-our-openfaas-function">Install our OpenFaaS function</h2> <p>Our really basic function will receive events from <code>Falco</code> thanks to <code>Falcosidekick</code>, check if the triggered rule is * <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">Terminal Shell in container*</a> , extract the <em>namespace</em> and <em>pod name</em> from the fields of events and delete the according pod:</p> <p>Basically, the process is:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> +----------+ +---------------+ +----------+ </span></span><span style="display:flex;"><span> | Falco +-----------------&gt; Falcosidekick +--------------------&gt; OpenFaaS | </span></span><span style="display:flex;"><span> +----^-----+ sends event +---------------+ triggers +-----+----+ </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span>detects a shell | | </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span> +----+-------+ deletes | </span></span><span style="display:flex;"><span> | Pwned Pod &lt;----------------------------------------------------------+ </span></span><span style="display:flex;"><span> +------------+ </span></span></code></pre></div><p>Let's create the function and deploy it:</p> <pre tabindex="0"><code>$ faas-cli template store pull golang-middleware Fetch templates from repository: https://github.com/openfaas/golang-http-template at 2021/04/10 21:56:34 Attempting to expand templates from https://github.com/openfaas/golang-http-template 2021/04/10 21:56:35 Fetched 2 template(s) : [golang-http golang-middleware] from https://github.com/openfaas/golang-http-template $ tree -L 2 . . └── template ├── golang-http └── golang-middleware # Don&#39;t forget to set your docker id in the prefix section, mine is devopps. $ faas-cli new falco-pod-delete --lang golang-middleware --prefix devopps faas-cli new falco-pod-delete --lang golang-middleware --prefix devopps Folder: falco-pod-delete created. ___ _____ ____ / _ \ _ __ ___ _ __ | ___|_ _ __ _/ ___| | | | | &#39;_ \ / _ \ &#39;_ \| |_ / _` |/ _` \___ \ | |_| | |_) | __/ | | | _| (_| | (_| |___) | \___/| .__/ \___|_| |_|_| \__,_|\__,_|____/ |_| Function created in folder: falco-pod-delete Stack file written: falco-pod-delete.yml Notes: You have created a new function which uses Golang 1.13. To include third-party dependencies, use Go modules and use &#34;--build-arg GO111MODULE=on&#34; with faas-cli build or configure this via your stack.yml file. See more: https://docs.openfaas.com/cli/templates/ For detailed examples: https://github.com/openfaas-incubator/golang-http-template $ tree -L 2 . . ├── falco-pod-delete │ └── handler.go ├── falco-pod-delete.yml └── template ├── golang-http └── golang-middleware </code></pre><p>First, replace the <em>falco-pod-delete.yml</em> with the following content:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">version</span>:<span style="color:#bbb"> </span><span style="color:#666">1.0</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">provider</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>openfaas<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">gateway</span>:<span style="color:#bbb"> </span>http://127.0.0.1:8080<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">functions</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">falco-pod-delete</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">lang</span>:<span style="color:#bbb"> </span>golang-middleware<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">handler</span>:<span style="color:#bbb"> </span>./falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">image</span>:<span style="color:#bbb"> </span>devopps/falco-pod-delete:latest<span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># be careful this line, it should be your docker id.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">annotations</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">com.openfaas.serviceaccount</span>:<span style="color:#bbb"> </span>falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">build_args</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">GO111MODULE</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">on</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>Once you have edited it, let's continue with the code, create a <code>go.mod</code>.</p> <pre tabindex="0"><code>$ cd falco-pod-delete $ go mod init falco-pod-delete go: creating new go.mod: module falco-pod-delete go: to add module requirements and sums: go mod tidy </code></pre><p>Then, replace the <code>handler.go</code> with the following content:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-golang" data-lang="golang"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>function<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;io/ioutil&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;log&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;net/http&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/rest&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>kubeClient<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">init</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the in-cluster config</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>config,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>rest.<span style="color:#00a000">InClusterConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the clientset</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(config)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>CriticalNamespaces<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>[]<span style="color:#0b0;font-weight:bold">string</span>{<span style="color:#b44">&#34;kube-system&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-public&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-node-lease&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;falco&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;openfaas&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;openfaas-fn&#34;</span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">Handle</span>(w<span style="color:#bbb"> </span>http.ResponseWriter,<span style="color:#bbb"> </span>r<span style="color:#bbb"> </span><span style="color:#666">*</span>http.Request)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>alert<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>r.Body<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">defer</span><span style="color:#bbb"> </span>r.Body.<span style="color:#00a000">Close</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>body,<span style="color:#bbb"> </span>_<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>ioutil.<span style="color:#00a000">ReadAll</span>(r.Body)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(body,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>alert)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>podName<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SPodName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SNsName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">bool</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">for</span><span style="color:#bbb"> </span>_<span style="color:#bbb"> </span>,<span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">range</span><span style="color:#bbb"> </span>CriticalNamespaces<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">break</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>!critical<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Deleting pod %s from namespace %s&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusOK)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">Write</span>([]<span style="color:#a2f">byte</span>(<span style="color:#b44">&#34;OK&#34;</span>))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>After that, update your <em>Go Modules</em> by doing <code>go mod tidy</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ go mod tidy </span></span><span style="display:flex;"><span>go: finding module <span style="color:#a2f;font-weight:bold">for</span> package k8s.io/client-go/rest </span></span><span style="display:flex;"><span>go: finding module <span style="color:#a2f;font-weight:bold">for</span> package k8s.io/apimachinery/pkg/apis/meta/v1 </span></span><span style="display:flex;"><span>go: finding module <span style="color:#a2f;font-weight:bold">for</span> package k8s.io/client-go/kubernetes </span></span><span style="display:flex;"><span>go: downloading k8s.io/client-go v0.21.0 </span></span><span style="display:flex;"><span>go: downloading k8s.io/apimachinery v0.21.0 </span></span><span style="display:flex;"><span>go: found k8s.io/apimachinery/pkg/apis/meta/v1 in k8s.io/apimachinery v0.21.0 </span></span><span style="display:flex;"><span>go: found k8s.io/client-go/kubernetes in k8s.io/client-go v0.21.0 </span></span><span style="display:flex;"><span>go: found k8s.io/client-go/rest in k8s.io/client-go v0.21.0 </span></span><span style="display:flex;"><span>go: downloading k8s.io/api v0.21.0 </span></span><span style="display:flex;"><span>go: downloading golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 </span></span><span style="display:flex;"><span>go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.1.0 </span></span><span style="display:flex;"><span>go: downloading golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d </span></span></code></pre></div><p>Now, you should be able to build, push and deploy your function with <code>faas-cli</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#a2f">cd</span> .. </span></span><span style="display:flex;"><span>$ faas-cli up -f falco-pod-delete.yml </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &gt; Building falco-pod-delete. </span></span><span style="display:flex;"><span>Clearing temporary build folder: ./build/falco-pod-delete/ </span></span><span style="display:flex;"><span>Preparing: ./falco-pod-delete/ build/falco-pod-delete/function </span></span><span style="display:flex;"><span>Building: devopps/falco-pod-delete:latest with golang-middleware template. Please wait.. </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 [internal] load build definition from Dockerfile</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 sha256:8cd765381aabb90df3bcfbc06f4d175af37d66b85125d463585abc1fc878b94b</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 transferring dockerfile: 1.81kB done</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 DONE 0.0s</span> </span></span><span style="display:flex;"><span>... </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Use <span style="color:#b44">&#39;docker scan&#39;</span> to run Snyk tests against images to find vulnerabilities and learn how to fix them </span></span><span style="display:flex;"><span>Image: devopps/falco-pod-delete:latest built. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &lt; Building falco-pod-delete <span style="color:#a2f;font-weight:bold">done</span> in 1.31s. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> Worker <span style="color:#a2f;font-weight:bold">done</span>. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Total build time: 1.31s </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &gt; Pushing falco-pod-delete <span style="color:#666">[</span>devopps/falco-pod-delete:latest<span style="color:#666">]</span>. </span></span><span style="display:flex;"><span>The push refers to repository <span style="color:#666">[</span>docker.io/devopps/falco-pod-delete<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>8096edd09fbc: Layer already exists </span></span><span style="display:flex;"><span>464d68aca3d9: Layer already exists </span></span><span style="display:flex;"><span>e4766ea46ad0: Layer already exists </span></span><span style="display:flex;"><span>5f70bf18a086: Layer already exists </span></span><span style="display:flex;"><span>a823d50a5b72: Layer already exists </span></span><span style="display:flex;"><span>060f21486264: Layer already exists </span></span><span style="display:flex;"><span>8ea3b23f387b: Layer already exists </span></span><span style="display:flex;"><span>latest: digest: sha256:f94abba203232b97cb2873ef5d60eec31b52d492f3d3ee106d6a9877bf131d95 size: <span style="color:#666">1782</span> </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &lt; Pushing falco-pod-delete <span style="color:#666">[</span>devopps/falco-pod-delete:latest<span style="color:#666">]</span> <span style="color:#a2f;font-weight:bold">done</span>. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> Worker <span style="color:#a2f;font-weight:bold">done</span>. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Deploying: falco-pod-delete. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Deployed. <span style="color:#666">202</span> Accepted. </span></span><span style="display:flex;"><span>URL: http://127.0.0.1:8080/function/falco-pod-delete </span></span></code></pre></div><p>Check if everything is working before moving to the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace openfaas-fn </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-pod-delete-7dc9f5fbb8-gbfk7 1/1 Running <span style="color:#666">0</span> 27s </span></span></code></pre></div><h2 id="test-our-function">Test our function</h2> <p>We start by creating a dumb pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>AME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 11s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>19:27:21 up <span style="color:#666">50</span> min, load average: 0.11, 0.12, 0.11 </span></span></code></pre></div><p>As expected we got the result of our command, but, if we get the status of the pod we retrieve:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>💥 <strong>It has been terminated</strong> 💥</p> <p>We can now check the logs of components.</p> <p>For <code>Falco</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs daemonset/falco --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:27:21.002873265: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=97c9868ea832 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=97c9868ea832 image=alpine) k8s.ns=default k8s.pod=alpine container=97c9868ea832&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-04-10T19:27:21.002873265Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;97c9868ea832&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1618082841002873265,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:27:21.038853452: Notice Unexpected connection to K8s API Server from container (command=handler k8s.ns=openfaas-fn k8s.pod=falco-pod-delete-7dc9f5fbb8-gbfk7 container=12fc4de5ccc3 image=devopps/falco-pod-delete:latest connection=172.17.0.9:43812-&gt;10.96.0.1:443) k8s.ns=openfaas-fn k8s.pod=falco-pod-delete-7dc9f5fbb8-gbfk7 container=12fc4de5ccc3&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Contact K8S API Server From Container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-04-10T19:27:21.038853452Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;12fc4de5ccc3&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;devopps/falco-pod-delete&#34;</span>,<span style="color:#b44">&#34;container.image.tag&#34;</span>:<span style="color:#b44">&#34;latest&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1618082841038853452,<span style="color:#b44">&#34;fd.name&#34;</span>:<span style="color:#b44">&#34;172.17.0.9:43812-&gt;10.96.0.1:443&#34;</span>,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;openfaas-fn&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;falco-pod-delete-7dc9f5fbb8-gbfk7&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;handler&#34;</span><span style="color:#666">}}</span> </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falcosidekick --namespace falco </span></span><span style="display:flex;"><span>2021/04/10 19:27:21 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : OpenFaas - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/04/10 19:27:21 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : OpenFaas - Function Response : OK </span></span><span style="display:flex;"><span>2021/04/10 19:27:21 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : OpenFaas - Call Function <span style="color:#b44">&#34;falco-pod-delete.openfaas-fn&#34;</span> OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><p>For <em>falco-delete-pod</em> function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ faas-cli logs -f --name falco-pod-delete </span></span><span style="display:flex;"><span>2021/04/10 19:34:03 Deleting pod alpine from namespace default </span></span><span style="display:flex;"><span>2021/04/10 19:34:03 POST / - <span style="color:#666">200</span> OK - ContentLength: <span style="color:#666">2</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>With this really simple example, we only scratched the surface of possibilities, so don't hesitate to share with us on Slack (<a href="https://kubernetes.slack.com">https://kubernetes.slack.com</a> #falco) your comments, ideas and successes. You're also always welcome to <a href="https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md">contribute</a>.</p>Blog: Kubernetes Response Engine, Part 1: Falcosidekick + Kubelesshttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/Fri, 15 Jan 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>Two years ago, we presented to you a <code>Kubernetes Response Engine</code> based on <code>Falco</code>. The idea was to trigger <a href="https://kubeless.io"><code>Kubeless</code></a> serverless functions for deleting infected pod, start a <code>Sysdig</code> capture or forward the <code>events</code> to <code>GCP PubSub</code>. See the <a href="https://github.com/falcosecurity/kubernetes-response-engine">README</a>.</p> <p>To avoid maintaining this custom stack, we worked hard with the community to integrate all components into <a href="https://github.com/falcosecurity/falcosidekick"><code>Falcosidekick</code></a> and to improve the UX. With the last release <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.20.0"><code>2.20.0</code></a> we have the finale piece, the integration of <code>Kubeless</code> as native output. More details in <a href="https://falco.org/blog/falcosidekick-2020/">our retrospective of 2020</a>.</p> <p>In this blog post, we will explain the basic concepts for integrating your own Response Engine into K8S with the stack <code>Falco</code> + <code>Falcosidekick</code> + <code>Kubeless</code>.</p> <h2 id="requirements">Requirements</h2> <p>We require a <code>kubernetes</code> cluster running at least <code>1.17</code> release and <a href="https://helm.sh"><code>helm</code></a> and <code>kubectl</code> installed.</p> <h2 id="install-kubeless">Install Kubeless</h2> <p>Follow the official <a href="https://kubeless.io/docs/quick-start/">quick start</a> page:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">RELEASE</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>curl -s https://api.github.com/repos/kubeless/kubeless/releases/latest | grep tag_name | cut -d <span style="color:#b44">&#39;&#34;&#39;</span> -f 4<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>kubectl create ns kubeless </span></span><span style="display:flex;"><span>kubectl create -f https://github.com/kubeless/kubeless/releases/download/<span style="color:#b8860b">$RELEASE</span>/kubeless-<span style="color:#b8860b">$RELEASE</span>.yaml </span></span></code></pre></div><p>After a few seconds, we can check that the controller is up and running:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n kubeless </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>kubeless-controller-manager-99459cb67-tb99d 3/3 Running <span style="color:#666">3</span> 2m34s </span></span></code></pre></div><h2 id="install-falco">Install Falco</h2> <p>Firstly, we'll create the namespace that will use both <code>Falco</code> and <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create ns falco </span></span></code></pre></div><p>Add the <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, we will try to keep things as easy as possible and set configs directly by <code>helm install</code> command:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falco falcosecurity/falco --set falco.jsonOutput<span style="color:#666">=</span><span style="color:#a2f">true</span> --set falco.httpOutput.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> --set falco.httpOutput.url<span style="color:#666">=</span>http://falcosidekick:2801 -n falco </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Thu Jan <span style="color:#666">14</span> 23:43:46 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code> pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-ctmzg 1/1 Running <span style="color:#666">0</span> 111s </span></span><span style="display:flex;"><span>falco-sfnn8 1/1 Running <span style="color:#666">0</span> 111s </span></span><span style="display:flex;"><span>falco-rrg28 1/1 Running <span style="color:#666">0</span> 111s </span></span></code></pre></div><p>The arguments <code>--set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falcosidekick:2801</code> are there configuring the format of events and the URL where <code>Falco</code> will send them. As <code>Falco</code> and <code>Falcosidekick</code> will be in the same namespace, we can directly use the name of the service (<code>falcosidekick</code>).</p> <h2 id="install-falcosidekick">Install Falcosidekick</h2> <p>The process is quite the same:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falcosidekick falcosecurity/falcosidekick --set config.kubeless.namespace<span style="color:#666">=</span>kubeless --set config.kubeless.function<span style="color:#666">=</span>delete-pod -n falco </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME: falcosidekick </span></span><span style="display:flex;"><span>LAST DEPLOYED: Thu Jan <span style="color:#666">14</span> 23:55:12 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>1. Get the application URL by running these commands: </span></span><span style="display:flex;"><span> <span style="color:#a2f">export</span> <span style="color:#b8860b">POD_NAME</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get pods --namespace falco -l <span style="color:#b44">&#34;app.kubernetes.io/name=falcosidekick,app.kubernetes.io/instance=falcosidekick&#34;</span> -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> kubectl port-forward <span style="color:#b8860b">$POD_NAME</span> 2801:2801 </span></span><span style="display:flex;"><span> <span style="color:#a2f">echo</span> <span style="color:#b44">&#34;Visit http://127.0.0.1:2801 to use your application&#34;</span> </span></span></code></pre></div><p>We check the logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs deployment/falcosidekick -n falco </span></span><span style="display:flex;"><span>2021/01/14 22:55:31 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : Kubeless </span></span><span style="display:flex;"><span>2021/01/14 22:55:31 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on port <span style="color:#666">2801</span> </span></span></code></pre></div><p><code>Kubeless</code> is displayed as enabled output, everything is good 👍.</p> <p>That's it, we really tried to get a nice UX 😉.</p> <h2 id="install-our-kubeless-function">Install our Kubeless function</h2> <p>We'll not explain how to write or how to work <code>Kubeless</code> functions, please read the official <a href="https://kubeless.io/docs/">docs</a> for more information.</p> <p>Our basic function will receive events from <code>Falco</code>, thanks to <code>Falcosidekick</code>. Check if the triggered rule is <em>Terminal Shell in container</em>. See <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">rule</a>, extract the <em>namespace</em> and <em>pod name</em> from fields of events, and delete the according pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">from</span> <span style="color:#00f;font-weight:bold">kubernetes</span> <span style="color:#a2f;font-weight:bold">import</span> client,config </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>config<span style="color:#666">.</span>load_incluster_config() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">def</span> <span style="color:#00a000">delete_pod</span>(event, context): </span></span><span style="display:flex;"><span> rule <span style="color:#666">=</span> event[<span style="color:#b44">&#39;data&#39;</span>][<span style="color:#b44">&#39;rule&#39;</span>] <span style="color:#a2f;font-weight:bold">or</span> <span style="color:#a2f;font-weight:bold">None</span> </span></span><span style="display:flex;"><span> output_fields <span style="color:#666">=</span> event[<span style="color:#b44">&#39;data&#39;</span>][<span style="color:#b44">&#39;output_fields&#39;</span>] <span style="color:#a2f;font-weight:bold">or</span> <span style="color:#a2f;font-weight:bold">None</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a2f;font-weight:bold">if</span> rule <span style="color:#a2f;font-weight:bold">and</span> rule <span style="color:#666">==</span> <span style="color:#b44">&#34;Terminal shell in container&#34;</span> <span style="color:#a2f;font-weight:bold">and</span> output_fields: </span></span><span style="display:flex;"><span> <span style="color:#a2f;font-weight:bold">if</span> output_fields[<span style="color:#b44">&#39;k8s.ns.name&#39;</span>] <span style="color:#a2f;font-weight:bold">and</span> output_fields[<span style="color:#b44">&#39;k8s.pod.name&#39;</span>]: </span></span><span style="display:flex;"><span> pod <span style="color:#666">=</span> output_fields[<span style="color:#b44">&#39;k8s.pod.name&#39;</span>] </span></span><span style="display:flex;"><span> namespace <span style="color:#666">=</span> output_fields[<span style="color:#b44">&#39;k8s.ns.name&#39;</span>] </span></span><span style="display:flex;"><span> <span style="color:#a2f">print</span> (<span style="color:#b44">f</span><span style="color:#b44">&#34;Deleting pod </span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b68;font-weight:bold">{</span>pod<span style="color:#b68;font-weight:bold">}</span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b44"> in namespace </span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b68;font-weight:bold">{</span>namespace<span style="color:#b68;font-weight:bold">}</span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b44">&#34;</span>) </span></span><span style="display:flex;"><span> client<span style="color:#666">.</span>CoreV1Api()<span style="color:#666">.</span>delete_namespaced_pod(name<span style="color:#666">=</span>pod, namespace<span style="color:#666">=</span>namespace, body<span style="color:#666">=</span>client<span style="color:#666">.</span>V1DeleteOptions()) </span></span></code></pre></div><p>Basically, the process is:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> +----------+ +---------------+ +----------+ </span></span><span style="display:flex;"><span> | Falco +-----------------&gt; Falcosidekick +--------------------&gt; Kubeless | </span></span><span style="display:flex;"><span> +----^-----+ sends event +---------------+ triggers +-----+----+ </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span>detects a shell | | </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span> +----+-------+ deletes | </span></span><span style="display:flex;"><span> | Pwned Pod &lt;----------------------------------------------------------+ </span></span><span style="display:flex;"><span> +------------+ </span></span></code></pre></div><p>Before deploying our function, we need to create a <code>ServiceAccount</code> for it, as it will need the right to delete a pod in any namespace:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -n kubeless -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pods&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: kubeless </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>namespace: kubelessetetion.k8s.io </span></span><span style="display:flex;"><span>serviceaccount/falco-pod-delete created </span></span><span style="display:flex;"><span>clusterrole.rbac.authorization.k8s.io/falco-pod-delete-cluster-role created </span></span><span style="display:flex;"><span>clusterrolebinding.rbac.authorization.k8s.io/falco-pod-delete-cluster-role-binding created </span></span></code></pre></div><p>Only remains the installation of our function itself:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -n kubeless -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: kubeless.io/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Function </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> finalizers: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kubeless.io/function </span></span></span><span style="display:flex;"><span><span style="color:#b44"> generation: 1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> labels: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> created-by: kubeless </span></span></span><span style="display:flex;"><span><span style="color:#b44"> function: delete-pod </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: delete-pod </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> checksum: sha256:a68bf570ea30e578e392eab18ca70dbece27bce850a8dbef2586eff55c5c7aa0 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> deps: | </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kubernetes&gt;=12.0.1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> function-content-type: text </span></span></span><span style="display:flex;"><span><span style="color:#b44"> function: |- </span></span></span><span style="display:flex;"><span><span style="color:#b44"> from kubernetes import client,config </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44"> config.load_incluster_config() </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44"> def delete_pod(event, context): </span></span></span><span style="display:flex;"><span><span style="color:#b44"> rule = event[&#39;data&#39;][&#39;rule&#39;] or None </span></span></span><span style="display:flex;"><span><span style="color:#b44"> output_fields = event[&#39;data&#39;][&#39;output_fields&#39;] or None </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44"> if rule and rule == &#34;Terminal shell in container&#34; and output_fields: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> if output_fields[&#39;k8s.ns.name&#39;] and output_fields[&#39;k8s.pod.name&#39;]: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> pod = output_fields[&#39;k8s.pod.name&#39;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace = output_fields[&#39;k8s.ns.name&#39;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> print (f&#34;Deleting pod \&#34;{pod}\&#34; in namespace \&#34;{namespace}\&#34;&#34;) </span></span></span><span style="display:flex;"><span><span style="color:#b44"> client.CoreV1Api().delete_namespaced_pod(name=pod, namespace=namespace, body=client.V1DeleteOptions()) </span></span></span><span style="display:flex;"><span><span style="color:#b44"> handler: delete-pod.delete_pod </span></span></span><span style="display:flex;"><span><span style="color:#b44"> runtime: python3.7 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> deployment: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> template: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> serviceAccountName: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">function</span>.kubeless.io/delete-pod created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n kubeless </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>kubeless-controller-manager-99459cb67-tb99d 3/3 Running <span style="color:#666">3</span> 3d14h </span></span><span style="display:flex;"><span>delete-pod-d6f98f6dd-cw228 1/1 Running <span style="color:#666">0</span> 2m52s </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get svc -n kubeless </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span style="color:#666">(</span>S<span style="color:#666">)</span> AGE </span></span><span style="display:flex;"><span>delete-pod ClusterIP 10.43.211.201 &lt;none&gt; 8080/TCP 4m38s </span></span></code></pre></div><h2 id="test-our-function">Test our function</h2> <p>We start by creating a dumb pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl run alpine -n default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 9s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine -n default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>23:44:25 up <span style="color:#666">1</span> day, 19:11, load average: 0.87, 0.77, 0.77 </span></span></code></pre></div><p>As expected, we got the result of our command, but, to get the status of the pod now:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>💥 <strong>It has been terminated</strong> 💥</p> <p>We can now check the logs of components.</p> <p>For <code>Falco</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl logs daemonset/falco -n falco </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;23:39:44.834631763: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=5892b41bcf46 shell=sh parent=&lt;NA&gt; cmdline=sh terminal=34817 container_id=5892b41bcf46 image=&lt;NA&gt;) k8s.ns=default k8s.pod=alpine container=5892b41bcf46&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-01-14T23:39:44.834631763Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;5892b41bcf46&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:null,<span style="color:#b44">&#34;evt.time&#34;</span>:1610667584834631763,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:null,<span style="color:#b44">&#34;proc.tty&#34;</span>:34817,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs deployment/falcosidekick -n falco </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>2021/01/14 23:39:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Kubeless - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/01/14 23:39:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Kubeless - Function Response : </span></span><span style="display:flex;"><span>2021/01/14 23:39:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Kubeless - Call Function <span style="color:#b44">&#34;delete-pod&#34;</span> OK </span></span></code></pre></div><p><em>(Notice, the function returns nothing, this is why the message log is empty)</em></p> <p>For <code>delete-pod</code> function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs deployment/delete-pod -n kubeless </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>10.42.0.31 - - <span style="color:#666">[</span>14/Jan/2021:23:39:45 +0000<span style="color:#666">]</span> <span style="color:#b44">&#34;POST / HTTP/1.1&#34;</span> <span style="color:#666">200</span> <span style="color:#666">0</span> <span style="color:#b44">&#34;&#34;</span> <span style="color:#b44">&#34;Falcosidekick&#34;</span> 0/965744 </span></span><span style="display:flex;"><span>Deleting pod <span style="color:#b44">&#34;alpine&#34;</span> in namespace <span style="color:#b44">&#34;default&#34;</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>With this simple example, we only scratched the surface of possibilities. Everything is possible now, so don't hesitate to share with us on Slack (<a href="https://kubernetes.slack.com">https://kubernetes.slack.com</a> #falco) your comments, ideas and successes. You're always welcome to <a href="https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md">contribute</a>.</p> <p><em>Bonus: You're running <code>Falcosidekick</code> outside <code>Kubernetes</code> but still want to use the <code>Kubeless</code> output? No problem, you can declare a kubeconfig file to use. See <a href="https://github.com/falcosecurity/falcosidekick/blob/master/README.md">README</a>.</em></p> <p><em>Bonus 2: For people who wants to use <code>Knative</code> in place of <code>Kubeless</code>, it's coming soon 😉</em></p> <p><em>Enjoy</em></p>Blog: Falcosidekick 2020https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2020/Tue, 12 Jan 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-2020/ <p>This fantastic post from <a href="https://github.com/leodido">@leodido</a> about how has been the previous year 2020 for falco inspired me (<a href="https://falco.org/blog/falco-2020/">link</a>) I wanted to bring everyone up to speed on what we built for <code>falcosidekick</code> in 2020</p> <p>Aside a lot of improvments and bug fixes, 8 new outputs have been integrated:</p> <ul> <li><strong>Rocketchat</strong></li> <li><strong>Mattermost</strong></li> <li><strong>Azure Event Hub</strong></li> <li><strong>Discord</strong></li> <li><strong>AWS SNS</strong></li> <li><strong>GCP PubSub</strong></li> <li><strong>Cloudwatch Logs</strong></li> <li><strong>Apache Kafka</strong></li> </ul> <p>What really changed with previous releases was that almost all these outputs have been proposed and developed by other members of the <code>falco</code> community (kindly called the <em>famiglia</em> 😉). It warms my ♥️ a lot and makes me learn a lot about how to manage an open source project.</p> <p>Thanks to everybody for your ideas, your comments, your help, your PR, your reviews, etc.</p> <p>The following chart shows well how things are getting bigger and bigger for this small project that finally appeared useful for some people and companies.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/falcosidekick-github-activity-2020.png" alt="falcosidekick github activity 2020" loading="lazy" /> </p> <p>A special 🙏 to <a href="https://github.com/cpanato">@cpanato</a>, <a href="https://github.com/KeisukeYamashita">@KeisukeYamashita</a> and <a href="https://github.com/nibalizer">@nibalizer</a>, who are now official maintainers of <code>falcosidekick</code> with me. 🎉 to them!</p> <p>Last but not least, all my friendship to <a href="https://github.com/cpanato">@danpopSD</a> for his support and motivation. Merci mon ami.</p> <h4 id="what-s-next">What's next?</h4> <h5 id="release-2-20-0">Release 2.20.0</h5> <p>Few times before this article is out we released one of the biggest versions since the beginning of <code>falcosidekick</code>. It results of a combination of a lot of efforts from many people.</p> <p>The full changelog can be found <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.20.0">here</a>.</p> <p>The main changes are three new outputs:</p> <ul> <li><a href="https://docs.nats.io/nats-streaming-concepts/intro"><strong>STAN (NATS Streaming)</strong></a></li> <li><a href="https://pagerduty.com/"><strong>PagerDuty</strong></a></li> <li><a href="https://kubeless.io/"><strong>Kubeless</strong></a> <em>(stay tuned, a post about this will be out soon 😉)</em></li> </ul> <h5 id="and">And ?</h5> <p>We believe the duo of <code>falco + falcosidekick</code> to be an obvious solution for most infrastructures, we are working hard to improve the code base and documentation. That will be all the major set of goals for the next major release <code>3.0.0</code> which is coming in the next few months. Until then with the help of <a href="https://github.com/n3wscott">n3wscott</a>, we're working on adding the <a href="https://cloudevents.io/"><code>Cloudevents</code></a> spec in a new HTTP output that will able to forward <code>falco</code>'s events to more backends, like <a href="https://knative.dev/"><code>Knative</code></a>.</p> <p><em>Enjoy</em></p>