Falco – Integrationhttps://v0-43--falcosecurity.netlify.app/tags/integration/Recent content in Integration on FalcoHugo -- gohugo.ioenTue, 09 Aug 2022 00:00:00 +0000Blog: Manage Falco easier with Giant Swarm App Platformhttps://v0-43--falcosecurity.netlify.app/blog/giantswarm-app-platform-falco/Tue, 09 Aug 2022 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/giantswarm-app-platform-falco/ <p>In this article, you will learn how Giant Swarm simplifies the maintenance of the software stack within Kubernetes clusters by using its App Platform technology. Additionally, we will show how customers can leverage this to easily deploy Falco, either individually or as part of Giant Swarm's Security Pack, to secure their managed Kubernetes service.</p> <h3 id="giant-swarm">Giant Swarm</h3> <p>Having CoreOS, Fleet, and Docker as base technologies, <a href="https://www.giantswarm.io/about">Giant Swarm</a> was founded in 2014. In 2016, it chose Kubernetes to reinvent itself. And just a year later, in 2017, it became part of the founding members of the <a href="https://linuxfoundation.org/press-release/cloud-native-computing-foundation-announces-first-kubernetes-certified-service-providers/">Kubernetes Certified Service Providers</a>. Customers like <a href="https://www.giantswarm.io/customers/adidas">Adidas</a> or <a href="https://www.giantswarm.io/customers/vodafone">Vodafone</a> backup a company that, supported by a <a href="https://www.giantswarm.io/blog/surviving-and-thriving-how-to-really-work-emotely">fully remote team</a>, has been able to foresee the trends of technology and working lifestyle.</p> <p>As a managed Kubernetes company, its services and infrastructure enable enterprises to run resilient distributed systems at scale while removing the burden of Day 2 operations. Giant Swarm takes pride in delivering a fully open source platform that's carefully curated and opinionated.</p> <h4 id="security-and-simplicity">Security and simplicity</h4> <p>Giant Swarm takes security as seriously as ease of management. Hence, when using a managed Kubernetes platform, everything that happens on the <a href="https://docs.giantswarm.io/general/management-clusters/">management cluster</a> is as important as the performance of the workload cluster itself.</p> <p>That's why, leveraging the concept of operators to control all resources that clusters need as 'Custom Resources', Giant Swarm can deploy and update its management clusters in the quickest possible way. Needless to say, this is exactly what Giant Swarm offers to its customers to manage their applications.</p> <h3 id="falco-the-runtime-security-project">Falco, the Runtime Security Project</h3> <p><a href="https://falco.org">Falco</a> is the de facto Kubernetes threat detection engine, and also extends its reach to cloud and Linux hosts. It monitors the behavior of every process in the node and can alert us when something fishy happens.</p> <p>How does Falco do that? Based on a set of <a href="http://falco.org/docs/rules">rules</a> that Falco interprets at startup time, it waits for events and <a href="https://falco.org/docs/rules/supported-events/">syscalls</a> that would trigger one of those rules. When a rule is triggered, Falco raises an alert and, thanks to applications like <a href="https://github.com/falcosecurity/falcosidekick">Falco Sidekick</a>, allows teams to react accordingly.</p> <p>But with great power comes great responsibility. What happens when we start getting false positives our Falco rules haven't been updated for some months, or our Falco daemon is a few versions behind? The answer is as simple as updating. Well, maybe not that simple if we are responsible for tens of clusters with hundreds of nodes.</p> <h3 id="giant-swarm-app-platform">Giant Swarm App Platform</h3> <p>Giant Swarm describes <a href="https://docs.giantswarm.io/app-platform/overview/">App Platform</a> as a set of features that allow you to browse, install, and manage the configurations of <a href="https://docs.giantswarm.io/app-platform/apps/">managed apps</a> from a single place: The management cluster.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/falco-on-giantswarm/falco-on-giantswarm-01.png" alt="" loading="lazy" /> </p> <p>The technology behind it is simple: Apps are packaged as <a href="https://helm.sh/docs/intro/using_helm/">Helm charts</a>, can be configured with values, overridden with a different app configuration, etc. - whatever meets your needs. To deploy, a CRD (<a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions">Custom Resource Definition</a>) resource is created, interpreted by the <a href="http://github.com/giantswarm/app-operator">App Operator</a> (running on the managed cluster), assigned to the <a href="https://github.com/giantswarm/chart-operator">Chart Operator</a> (running on the workload cluster), and in a few seconds, our application will be deployed on as many clusters as desired.</p> <p>The App Platform offers its repertoire of applications from the App Catalog. Giant Swarm offers two App Catalogs out of the box: The Giant Swarm Catalog and the Giant Swarm Playground. But what we love the most from the App Platform is that we can have our additional catalogs, storing our applications and configurations.</p> <h3 id="what-does-it-look-like-on-the-cli">What does it look like on the CLI?</h3> <p>It's now time to look at App Platform running. Let's walk through its deployment on a <strong>minikube</strong> cluster. Following these instructions, it shouldn't take too long until we are ready to deploy our first managed app, <strong>Falco</strong>, using a single CRD.</p> <blockquote> <p>To keep this as standard as possible, we'll even go through some steps to compile some interesting Giant Swarm tools, like the plugin kubectl-gs.</p> </blockquote> <h4 id="do-you-already-have-a-kubernetes-cluster-nearby">Do you already have a Kubernetes cluster nearby?</h4> <p>If not, we can spin up a <a href="https://minikube.sigs.k8s.io/docs/"><strong>minikube</strong></a> instance pretty quickly.</p> <pre tabindex="0"><code>$ minikube start --driver virtualbox πŸ˜„ minikube v1.25.1 on Darwin 11.6.6 ✨ Using the virtualbox driver based on user configuration πŸ‘ Starting control plane node minikube in cluster minikube πŸ”₯ Creating virtualbox VM (CPUs=2, Memory=6000MB, Disk=20000MB) ... 🐳 Preparing Kubernetes v1.23.1 on Docker 20.10.12 ... β–ͺ kubelet.housekeeping-interval=5m β–ͺ Generating certificates and keys ... β–ͺ Booting up control plane ... β–ͺ Configuring RBAC rules ... β–ͺ Using image gcr.io/k8s-minikube/storage-provisioner:v5 πŸ”Ž Verifying Kubernetes components... 🌟 Enabled addons: default-storageclass, storage-provisioner πŸ„ Done! kubectl is now configured to use &#34;minikube&#34; cluster and &#34;default&#34; namespace by default </code></pre><p>If you don't have <a href="https://kubernetes.io/docs/tasks/tools/#kubectl">kubectl</a> installed or your system, the easiest way to access it would be through an <a href="https://minikube.sigs.k8s.io/docs/handbook/kubectl/">alias</a> to <code>minikube kubectl</code>, like this:</p> <pre tabindex="0"><code>alias kubectl=&#34;minikube kubectl --&#34; </code></pre><p>Don't forget the <code>--</code> at the end. That tells the command prompt not to pass any added parameters to <code>minikube</code>, since we need them to be understood by kubectl.</p> <blockquote> <p>One disadvantage of this method, in comparison to having a local <code>kubectl</code> binary, is that the <code>kubectl-gs</code> plugin might not work when called as <code>kubectl gs</code> (explained later during this tutorial) so you might need to call it directly.</p> </blockquote> <p>To ensure our cluster is up and running, execute the following command and verify that all nodes, pods, and containers are up and ready:</p> <pre tabindex="0"><code>$ kubectl get nodes,ns,pods -A NAME STATUS ROLES AGE VERSION node/minikube Ready control-plane,master 4m16s v1.23.1 NAME STATUS AGE namespace/default Active 4m14s namespace/kube-node-lease Active 4m15s namespace/kube-public Active 4m15s namespace/kube-system Active 4m16s NAMESPACE NAME READY STATUS RESTARTS AGE kube-system pod/coredns-64897985d-qbf4n 1/1 Running 0 4m kube-system pod/etcd-minikube 1/1 Running 0 4m12s kube-system pod/kube-apiserver-minikube 1/1 Running 0 4m12s kube-system pod/kube-controller-manager-minikube 1/1 Running 0 4m12s kube-system pod/kube-proxy-6ds89 1/1 Running 0 4m kube-system pod/kube-scheduler-minikube 1/1 Running 0 4m14s kube-system pod/storage-provisioner 1/1 Running 1 (3m29s ago) 4m10s </code></pre><h4 id="prerequisites-compiling-apptestctl-and-kubectl-gs">Prerequisites: Compiling <code>apptestctl</code> and <code>kubectl-gs</code></h4> <p>As mentioned above, we'll compile a couple of tools. The first one will be <code>apptestctl</code>. This tool will help us bootstrap <strong>App Platform</strong> on a cluster not managed by Giant Swarm.</p> <p>To do this, we'll use the <code>docker.io/golang:1.17</code> image.</p> <p>The following command will prepare an available instance of a Golang compiler for us to compile both of these tools:</p> <pre tabindex="0"><code>$ kubectl run golang --image docker.io/golang:1.17 -- sleep infinity pod/golang created </code></pre><h5 id="compiling-apptestctl">Compiling <code>apptestctl</code></h5> <p>These steps are quite simple: clone the <a href="https://github.com/giantswarm/apptestctl"><code>apptestctl</code></a> repository and compile it as indicated.</p> <blockquote> <p>We'll do this inside the container we created in the previous step so we don't pollute our system.</p> </blockquote> <pre tabindex="0"><code>$ kubectl exec -it golang -- git clone https://github.com/giantswarm/apptestctl src/apptestctl Cloning into &#39;apptestctl&#39;... ... output omitted ... Resolving deltas: 100% (791/791), done. $ kubectl exec -it golang -- make -C src/apptestctl make: Entering directory &#39;/go/src/apptestctl&#39; ... output omitted ... ====&gt; apptestctl-v-linux-amd64 ... output omitted ... cp -a apptestctl-v-linux-amd64 apptestctl ====&gt; build make: Leaving directory &#39;/go/src/apptestctl&#39; </code></pre><p>Alternatively, you can build a Darwin client.</p> <pre tabindex="0"><code>$ kubectl exec -it golang -- make build-darwin -C src/apptestctl make: Entering directory &#39;/go/src/apptestctl&#39; ... output omitted ... ====&gt; apptestctl-v-darwin-amd64 ... output omitted ... cp -a apptestctl-v-darwin-amd64 apptestctl-darwin ====&gt; build-darwin make: Leaving directory &#39;/go/src/apptestctl&#39; </code></pre><p>Either way, you can copy the <code>apptestctl</code> binary to your system and use it from wherever you prefer.</p> <pre tabindex="0"><code>$ kubectl cp golang:/go/src/apptestctl/apptestctl-darwin ./apptestctl $ kubectl chmod u+x ./apptestctl </code></pre><h5 id="compiling-kubectl-gs">Compiling <code>kubectl-gs</code></h5> <p>Use the same steps to compile the <a href="https://github.com/giantswarm/kubectl-gs"><code>kubectl-gs</code></a> plugin this time, which will allow us to interact with App Platform. Pay attention to the fact that we'll compile it just for Darwin in this instance.</p> <pre tabindex="0"><code>$ kubectl exec -it golang -- git clone https://github.com/giantswarm/kubectl-gs src/kubectl-gs Cloning into &#39;kubectl-gs&#39;... ... output omitted ... Resolving deltas: 100% (4427/4427), done. $ kubectl exec -it golang -- make build-darwin -C src/kubectl-gs make: Entering directory &#39;/go/src/kubectl-gs&#39; ... output omitted ... ====&gt; kubectl-gs-v-darwin-amd64 ... output omitted ... cp -a kubectl-gs-v-darwin-amd64 kubectl-gs-darwin ====&gt; build-darwin make: Leaving directory &#39;/go/src/kubectl-gs&#39; $ kubectl cp golang:/go/src/kubectl-gs/kubectl-gs-darwin ./kubectl-gs $ kubectl chmod u+x ./kubectl-gs </code></pre><h4 id="deploying-app-platform-via-apptestctl">Deploying App Platform via <code>apptestctl</code></h4> <p>Once we have both tools, <code>apptestctl</code> and <code>kubectl-gs</code>, it's time to bootstrap App Platform. To do that, we'll use the <code>apptestctl bootstrap</code> command.</p> <p>The command <code>apptestctl bootstrap</code> needs the KUBECONFIG information to access our <em>minikube</em> cluster, so in this case, we will use the command <code>kubectl config view --flatten --minify -o json</code> to obtain it.</p> <blockquote> <p>Alternatively, we would need to look for the .kube/config file and pass it with the <code>--kubeconfig-path</code> option.</p> </blockquote> <pre tabindex="0"><code>$ ./apptestctl bootstrap --kubeconfig &#34;$(kubectl config view --flatten --minify -o json)&#34; bootstrapping app platform components ... output omitted ... app platform components are ready </code></pre><p>Once deployed, we can run a few commands to observe the resources created in our cluster.</p> <pre tabindex="0"><code>$ kubectl get deployments -n giantswarm NAME READY UP-TO-DATE AVAILABLE AGE app-operator 1/1 1 1 1m20s chart-operator 1/1 1 1 1m20s chartmuseum-chartmuseum 1/1 1 1 1m20s # kubectl get catalog -A NAMESPACE NAME CATALOG URL AGE default chartmuseum http://chartmuseum-chartmuseum:8080/charts/ 1m25s default helm-stable https://charts.helm.sh/stable/packages/ 1m25s </code></pre><p>Wait a moment... Where does this <code>Catalog</code> resource come from? The bootstrap process of App Platform creates some CRDs that will support the operators to manage our applications.</p> <pre tabindex="0"><code>$ kubectl get crd NAME CREATED AT appcatalogentries.application.giantswarm.io 2022-06-10T15:30:12Z appcatalogs.application.giantswarm.io 2022-06-10T15:30:12Z apps.application.giantswarm.io 2022-06-10T15:30:12Z catalogs.application.giantswarm.io 2022-06-10T15:30:12Z charts.application.giantswarm.io 2022-06-10T15:30:12Z </code></pre><p>In short, once we register a <code>Catalog</code>, several <code>AppCatalogEntries</code> resources will be created. There will be at least one per application and version.</p> <h4 id="registering-a-catalog">Registering a <code>Catalog</code></h4> <p>Now, it looks like a great time to see what the <code>kubectl-gs</code> plugin can do for us.</p> <pre tabindex="0"><code>$ kubectl-gs get catalogs NAME NAMESPACE CATALOG URL AGE chartmuseum default http://chartmuseum-chartmuseum:8080/charts/ 25m helm-stable default https://charts.helm.sh/stable/packages/ 25m </code></pre><p>All right, that was maybe not so impressive, but it'll become much more useful when we register our first catalog. Why is that? Because <code>kubectl gs</code> will help us generate the definition of a <code>Catalog</code> resource through its <code>template</code> subcommand.</p> <pre tabindex="0"><code>$ kubectl-gs template catalog --name giantswarm --namespace default \ --description &#34;Giant Swarm Catalog&#34; --logo http://logo-url \ --url https://giantswarm.github.io/giantswarm-catalog --- apiVersion: application.giantswarm.io/v1alpha1 kind: Catalog metadata: name: giantswarm labels: application.giantswarm.io/catalog-visibility: public namespace: default spec: title: giantswarm description: Giant Swarm Catalog logoURL: http://logo-url storage: URL: https://giantswarm.github.io/giantswarm-catalog type: helm </code></pre><p>Et voilΓ , our <code>Catalog</code> CRD pointing to a Giant Swarm collection of applications is ready to be deployed into our cluster.</p> <p>You might have figured out already what each parameter represents. <code>kubectl gs</code> will complain if any of those parameters are missing. Also, pay attention that we didn't use a real logo URL, but if you were using <a href="https://github.com/giantswarm/happa"><code>happa</code></a>, the Giant Swarm Web-UI, would't you like to see a logo identifying your application?</p> <p>Finally, the URL is the location of the Helm repository from which App Platform will download the applications.</p> <p>Once we understand what the <code>kubectl gs template</code> command has generated, it's time to create it inside the cluster and let the App Operator do its magic. Let's go for it.</p> <pre tabindex="0"><code>$ kubectl-gs template catalog --name giantswarm --namespace default \ --description &#34;Giant Swarm Catalog&#34; --logo http://logo-url \ --url https://giantswarm.github.io/giantswarm-catalog | kubectl apply -f - catalog.application.giantswarm.io/giantswarm created $ kubectl-gs get catalogs NAME NAMESPACE CATALOG URL AGE chartmuseum default http://chartmuseum-chartmuseum:8080/charts/ 35m helm-stable default https://charts.helm.sh/stable/packages/ 35m giantswarm default https://giantswarm.github.io/giantswarm-catalog 53s $ kubectl gs get catalog giantswarm CATALOG APP NAME VERSION UPSTREAM VERSION AGE DESCRIPTION ... output omitted ... giantswarm falco-app 0.3.2 0.0.1 5m26s A Helm chart for falco ... output omitted ... </code></pre><p>Do you remember the aforementioned AppCatalogEntries that the App Operator had to create once we defined the Catalog? Here are the Falco ones.</p> <pre tabindex="0"><code>$ kubectl get AppCatalogEntries | grep falco-app giantswarm-falco-app-0.1.2 giantswarm falco-app 0.1.2 0.0.1 240d giantswarm-falco-app-0.2.0 giantswarm falco-app 0.2.0 0.0.1 176d giantswarm-falco-app-0.3.0 giantswarm falco-app 0.3.0 0.0.1 103d giantswarm-falco-app-0.3.1 giantswarm falco-app 0.3.1 0.0.1 94d giantswarm-falco-app-0.3.2 giantswarm falco-app 0.3.2 0.0.1 79d </code></pre><h3 id="installing-an-app-from-the-app-catalog">Installing an App from the App Catalog</h3> <p>What we've done so far was deploy App Platform, which is required only once. Giant Swarm would have configured that for us already if we were using their services.</p> <p>Now, it's finally time to create the CRD that will trigger the App Operator to assist in the deployment of Falco. How do we do that? <code>kubectl gs</code> comes to the rescue again!</p> <pre tabindex="0"><code>$ kubectl gs template app --catalog giantswarm --name falco-app --namespace falco-ns --version 0.3.2 --app-name my-falco --in-cluster --- apiVersion: application.giantswarm.io/v1alpha1 kind: App metadata: name: my-falco labels: app-operator.giantswarm.io/version: 0.0.0 namespace: falco-ns spec: name: falco-app version: 0.3.2 namespace: falco-ns kubeConfig: inCluster: true catalog: giantswarm </code></pre><p>It is worth mentioning that we are testing on a <em>minikube</em> cluster, where we install applications inside the cluster itself. To achieve that, we use the <code>--in-cluster</code> parameter passed to the previous commands.</p> <p>Otherwise, if we wanted to install or update the application in one of our managed workload clusters, we would use the <code>--cluster</code> parameter to indicate where the application should be deployed:</p> <pre tabindex="0"><code>$ kubectl gs template app --catalog giantswarm --name falco-app --namespace falco-ns \ --version 0.3.2 --cluster cluster-123 --app-name my-falco --- apiVersion: application.giantswarm.io/v1alpha1 kind: App metadata: name: my-falco namespace: cluster-123 spec: name: falco-app version: 0.3.2 namespace: falco-ns kubeConfig: inCluster: false catalog: giantswarm </code></pre><p>In the previous output, you can see how the namespace field inside the metadata section receives the name of the cluster instead of the actual namespace where the application should reside.</p> <p>The reason is that, although the application will be installed on one of the workload clusters, this CRD will be created in a namespace inside the management cluster. This topic alone would be enough for a whole new post.</p> <p>Here is a graphical representation of the CRDs supporting App Platform, in the management cluster:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/falco-on-giantswarm/falco-on-giantswarm-02.png" alt="" loading="lazy" /> </p> <p>Finally, the last step is creating the CRD for the App in the cluster. Don't forget to ensure that the namespace where the CRD will belong exists, or the <code>kubectl apply</code> command will fail.</p> <pre tabindex="0"><code>$ kubectl create ns falco-ns namespace/falco-ns created $ kubectl gs template app --catalog giantswarm --name falco-app --namespace falco-ns \ --version 0.3.2 --in-cluster --app-name my-falco | kubectl apply -f- app.application.giantswarm.io/my-falco created $ kubectl gs get app -n falco-ns NAME VERSION LAST DEPLOYED STATUS NOTES my-falco 0.3.2 113s deployed </code></pre><p>Here are the resulting Kubernetes resources when using regular kubectl commands.</p> <pre tabindex="0"><code>$ kubectl get app,deployment,daemonset -n falco-ns NAME INSTALLED VERSION CREATED AT LAST DEPLOYED STATUS app.application.giantswarm.io/my-falco 0.3.2 4m25s 4m24s deployed NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/my-falco-falcosidekick 2/2 2 2 4m24s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/my-falco 1 1 1 1 1 &lt;none&gt; 4m24s daemonset.apps/my-falco-falco-exporter 1 1 1 1 1 &lt;none&gt; 4m24s </code></pre><p>The previous output might differ depending on the type of cluster you would be using, among other variables.</p> <p>As you can see, once App Platform is up and running, we only need to create the namespace that should contain the Falco application (which should already exist if we are deploying from a managed workload cluster), and the CRD based on the template from the <code>kubectl gs</code> plugin. In a matter of seconds, Falco will be up and running, watching for threats and alerting when suspicious behaviors arise.</p> <h3 id="managed-security">Managed Security</h3> <p><a href="https://twitter.com/StoneZach/">Zach Stone</a>, Platform Engineer at Giant Swarm, walked us through some of the biggest challenges that the company's customers face and how his team is using Falco to develop thoughtful solutions.</p> <p><em>β€œThe biggest problem that most of our customers face isn't what happens in the cluster, it's what happens with the information once they get it out of the cluster,”</em> asserted Stone. <em>β€œPeople also focus too much on the capability that a tool offers and don't take a bigger look at the security processes it supports.”</em></p> <p><em>β€œIf a customer has a vulnerability management program, we can track all of the vulnerabilities in their components, but if fixing those vulnerabilities isn’t a priority, then the program doesn’t work,”</em> remarked Stone. <em>&quot;The larger discussion is usually about where the alerts should go, who bears responsibility for remediation, and how to fit that work into the team's limited capacity. We spend a lot of time trying to ensure security isn't just something that sits alongside the business, but rather is a meaningful part of the daily routine.&quot;</em></p> <p>Part of that effort is in tuning detection rules and alerting. <em>&quot;Any time we surface an alert, it should be actionable and have a clear owner who is invested in never seeing that alert again.&quot;</em></p> <p><em>β€œI think Falco's superpower is in the flexibility of the policies. I'm also really excited about the changes that are slated to make it easier to update them. Most rules aren't one-size-fits-all -- for a given policy, there is usually some refinement needed to ensure the policy makes sense within our platform, and then customers modify it even further to meet their security requirements. All that customization can make it incredibly difficult to reconcile,”</em> said Stone. <em>β€œThe fact that we can already do it with Falco speaks volumes about the versatility of the solution.”</em></p> <h4 id="security-pack">Security Pack</h4> <p>Giant Swarm's <a href="https://docs.giantswarm.io/app-platform/apps/security/">Security Pack</a> is a collection of open source security tools offered by Giant Swarm, which not only contains Falco but also a plethora of other open source projects, including <em>Kyverno</em> for policy enforcement, <em>Trivy</em> for image scanning, and <em>Cosign</em> for image signature verification.</p> <p>Security does not apply to a single level and, therefore, Security Pack consists of multiple applications, each one independently installable and configurable, available via their App Platform. <em>β€œFalco will be the cornerstone of our node-level security capabilities,”</em> affirmed Stone, <em>β€œthe biggest opportunity for API plug-ins I see is to get feedback from the node level back into the Security Pack so that we can further contextualize events in the ecosystem.”</em></p> <h3 id="conclusion">Conclusion</h3> <p>Adding simplicity to our cluster management is considered a requirement nowadays, especially in those cases where the lack of resources in an organization can keep it from achieving an acceptable level of security.</p> <p>Features like Giant Swarm's App Platform and Security Pack will help organizations to finally focus on what actually matters to them: Running their business. In the future, Giant Swarm plans to launch its security pack across all its customers' clusters, enabled by default and built on Falco.</p>Blog: Kubernetes Response Engine, Part 9: Falcosidekick + Fissionhttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-9-fission/Wed, 01 Sep 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-9-fission/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7 : Falcosidekick + Cloud Functions</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/">Kubernetes Response Engine, Part 8: Falcosidekick + Flux v2</a></li> </ul> </blockquote> <hr> <p>The earlier posts in this series, show how to use Kubeless, Argo, Knative, and others to trigger a resource after getting input from Falcosidekick. Recently, Falcosidekick received a new output type support for <a href="https://github.com/falcosecurity/falcosidekick/pull/255">Fission</a>.</p> <p>In this blog post, we will cover using <code>Falcosidekick</code> and <code>Fission</code> to detect and delete a compromised pod in a Kubernetes cluster. We will briefly talk about Fission in this blog, however, you can check the complete documentation <a href="https://fission.io/">here</a>.</p> <h2 id="prerequisites">Prerequisites</h2> <p>We need tools with the following minimum versions to achieve this demo:</p> <ul> <li>Minikube v1.19.0</li> <li>Helm v3.5.4</li> <li>kubectl v1.21.0</li> <li>fission-cli v1.13.1</li> </ul> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <p>There are various ways to provision a local Kubernetes cluster such as, KinD, k3s, k0s, Minikube, etc. We are going to use Minikube in this walkthrough.</p> <p>Let's get provisioned a local Kubernetes cluster:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ minikube start --cpus <span style="color:#666">3</span> --memory <span style="color:#666">8192</span> --vm-driver virtualbox </span></span><span style="display:flex;"><span>πŸ˜„ minikube v1.19.0 on Darwin 10.15.7 </span></span><span style="display:flex;"><span>✨ Using the virtualbox driver based on user configuration </span></span><span style="display:flex;"><span>πŸ‘ Starting control plane node minikube in cluster minikube </span></span><span style="display:flex;"><span>πŸ”₯ Creating virtualbox VM <span style="color:#666">(</span><span style="color:#b8860b">CPUs</span><span style="color:#666">=</span>3, <span style="color:#b8860b">Memory</span><span style="color:#666">=</span>8192MB, <span style="color:#b8860b">Disk</span><span style="color:#666">=</span>20000MB<span style="color:#666">)</span> ... </span></span><span style="display:flex;"><span>🐳 Preparing Kubernetes v1.20.2 on Docker 20.10.4 ... </span></span><span style="display:flex;"><span> β–ͺ Generating certificates and keys ... </span></span><span style="display:flex;"><span> β–ͺ Booting up control plane ... </span></span><span style="display:flex;"><span> β–ͺ Configuring RBAC rules ... </span></span><span style="display:flex;"><span>πŸ”Ž Verifying Kubernetes components... </span></span><span style="display:flex;"><span> β–ͺ Using image gcr.io/k8s-minikube/storage-provisioner:v5 </span></span><span style="display:flex;"><span>🌟 Enabled addons: storage-provisioner, default-storageclass </span></span><span style="display:flex;"><span>πŸ„ Done! kubectl is now configured to use <span style="color:#b44">&#34;minikube&#34;</span> cluster and <span style="color:#b44">&#34;default&#34;</span> namespace by default </span></span></code></pre></div><h2 id="install-fission">Install Fission</h2> <p>Fission is a fast, open source serverless framework for Kubernetes with a focus on developer productivity and high performance. Fission operates on just the code: Docker and Kubernetes are abstracted away under normal operation, though you can use both to extend Fission if you want to.</p> <p>Follow the official documentation for <a href="https://docs.fission.io/docs/installation/">deploying Fission to Kubernetes</a>.</p> <p>Here we will be using Helm to install Fission:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#a2f">export</span> <span style="color:#b8860b">FISSION_NAMESPACE</span><span style="color:#666">=</span><span style="color:#b44">&#34;fission&#34;</span> </span></span><span style="display:flex;"><span>$ kubectl create namespace <span style="color:#b8860b">$FISSION_NAMESPACE</span> </span></span><span style="display:flex;"><span>$ kubectl create -k <span style="color:#b44">&#34;github.com/fission/fission/crds/v1?ref=1.13.1&#34;</span> </span></span><span style="display:flex;"><span>$ helm repo add fission-charts https://fission.github.io/fission-charts/ </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>$ helm install --version 1.13.1 --namespace <span style="color:#b8860b">$FISSION_NAMESPACE</span> fission fission-charts/fission-all </span></span><span style="display:flex;"><span>NAME: fission </span></span><span style="display:flex;"><span>LAST DEPLOYED: Wed Jul <span style="color:#666">21</span> 18:03:44 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: fission </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>1. Install the client CLI. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Mac: </span></span><span style="display:flex;"><span> $ curl -Lo fission https://github.com/fission/fission/releases/download/1.13.1/fission-1.13.1-darwin-amd64 <span style="color:#666">&amp;&amp;</span> chmod +x fission <span style="color:#666">&amp;&amp;</span> sudo mv fission /usr/local/bin/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Linux: </span></span><span style="display:flex;"><span> $ curl -Lo fission https://github.com/fission/fission/releases/download/1.13.1/fission-1.13.1-linux-amd64 <span style="color:#666">&amp;&amp;</span> chmod +x fission <span style="color:#666">&amp;&amp;</span> sudo mv fission /usr/local/bin/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Windows: </span></span><span style="display:flex;"><span> For Windows, you can use the linux binary on WSL. Or you can download this windows executable: https://github.com/fission/fission/releases/download/1.13.1/fission-1.13.1-windows-amd64.exe </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>2. You<span style="">&#39;</span>re ready to use Fission! </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Create an environment</span> </span></span><span style="display:flex;"><span> $ fission env create --name nodejs --image fission/node-env </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Get a hello world</span> </span></span><span style="display:flex;"><span> $ curl https://raw.githubusercontent.com/fission/examples/master/nodejs/hello.js &gt; hello.js </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Register this function with Fission</span> </span></span><span style="display:flex;"><span> $ fission <span style="color:#a2f;font-weight:bold">function</span> create --name hello --env nodejs --code hello.js </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># Run this function</span> </span></span><span style="display:flex;"><span> $ fission <span style="color:#a2f;font-weight:bold">function</span> <span style="color:#a2f">test</span> --name hello </span></span><span style="display:flex;"><span> Hello, world! </span></span></code></pre></div><p>Check if everything is working before moving onto the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace fission </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>buildermgr-5698c89fff-rk9z6 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>controller-5dcb44bcd6-vq9hb 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>executor-6b6d6469d6-2xrlk 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-kube-state-metrics-5fc9bd6684-7ffwp 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-alertmanager-65f5574885-tlrz6 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-node-exporter-jd9w6 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-node-exporter-jpzn8 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-node-exporter-rb25l 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-pushgateway-54c87b5796-28x2h 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>fission-prometheus-server-9d64c74b4-ld97h 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>influxdb-59649c8c6-5vx54 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>kubewatcher-6996fccc6b-5vbvx 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>logger-6kdw4 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>logger-nmw9t 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>logger-zkrq9 2/2 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>mqtrigger-keda-7584989c48-n5w6g 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>mqtrigger-nats-streaming-664c55c979-t9gp5 1/1 Running <span style="color:#666">0</span> 7m19s </span></span><span style="display:flex;"><span>nats-streaming-6c6d7c6fbf-ft468 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>router-5c5c6cbb87-989pc 1/1 Running <span style="color:#666">0</span> 7m20s </span></span><span style="display:flex;"><span>storagesvc-57ccf58976-qcr4d 1/1 Running <span style="color:#666">0</span> 7m19s </span></span><span style="display:flex;"><span>timer-794b89579b-6kxwx 1/1 Running <span style="color:#666">0</span> 7m20s </span></span></code></pre></div><h2 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h2> <p>Firstly, we'll create the namespace that will host both <code>Falco</code> and <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl create namespace falco </span></span></code></pre></div><p>We add the <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span><span style="color:#b44">&#34;falcosecurity&#34;</span> has been added to your repositories </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>Hang tight <span style="color:#a2f;font-weight:bold">while</span> we grab the latest from your chart repositories... </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;falcosecurity&#34;</span> chart repository </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;openfaas&#34;</span> chart repository </span></span><span style="display:flex;"><span>Update Complete. ⎈Happy Helming!⎈ </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, will try to keep thing as easy as possible and set configs directly by passing arguments to <code>helm install</code> command line:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm upgrade --install falco falcosecurity/falco --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.fission.function<span style="color:#666">=</span><span style="color:#b44">&#34;falco-pod-delete&#34;</span> </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>Release <span style="color:#b44">&#34;falco&#34;</span> does not exist. Installing it now. </span></span><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Tue Apr <span style="color:#666">13</span> 10:49:49 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code> and <code>Falcosidekick</code>pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-falcosidekick-f77c58899-gd467 1/1 Running <span style="color:#666">0</span> 51s </span></span><span style="display:flex;"><span>falco-falcosidekick-f77c58899-hfsjx 1/1 Running <span style="color:#666">0</span> 51s </span></span><span style="display:flex;"><span>falco-hg2wm 1/1 Running <span style="color:#666">0</span> 51s </span></span></code></pre></div><p>The argument <code>falcosidekick.enabled=true</code> sets the following settings in <em>Falco</em> for you:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>--set falco.jsonOutput<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.url<span style="color:#666">=</span>http://falco-falcosidekick:2801 </span></span></code></pre></div><p>The arguments <code>--set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falco-falcosidekick:2801</code> are there to configure the format of events and the URL where <code>Falco</code> will send them. As <code>Falco</code> and <code>Falcosidekick</code> will be in the same namespace, it can directly use the name of the service (<code>falco-falcosidekick</code>) above <code>Falcosidekick</code> pods.</p> <p>We check the logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick -n falco </span></span><span style="display:flex;"><span>Found <span style="color:#666">2</span> pods, using pod/falco-falcosidekick-f77c58899-gd467 </span></span><span style="display:flex;"><span>2021/07/21 12:52:02 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : <span style="color:#666">[</span>Fission<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>2021/07/21 12:52:02 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on :2801 </span></span></code></pre></div><p><code>Fission</code> is displayed as enabled output, everything is good πŸ‘.</p> <h2 id="install-our-fission-function">Install our Fission Function</h2> <p>Our really basic function will receive events from <code>Falco</code>, thanks to <code>Falcosidekick</code>, check if the triggered rule is <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">Terminal Shell in container</a>, extract the <em>namespace</em> and <em>pod name</em> from the fields of events and delete the according pod:</p> <p>Basically, the process is:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> +----------+ +---------------+ +----------+ </span></span><span style="display:flex;"><span> | Falco +-----------------&gt; Falcosidekick +--------------------&gt; Fission | </span></span><span style="display:flex;"><span> +----^-----+ sends event +---------------+ triggers +-----+----+ </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span>detects a shell | | </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span> +----+-------+ deletes | </span></span><span style="display:flex;"><span> | Pwned Pod &lt;----------------------------------------------------------+ </span></span><span style="display:flex;"><span> +------------+ </span></span></code></pre></div><p>Let's get the function and other artifacts:</p> <pre tabindex="0"><code>$ git clone https://github.com/fission/examples.git &amp;&amp; cd examples/sample/falco </code></pre><p>The function we are going to deploy basically receives events for an infected pod from the <em>Falcosidekick</em> and deletes it immediately. Before deploying the function we need some permissions to delete Pod. We create a <code>ServiceAccount</code> with rights to delete a Pod in any namespace, and we'll associate it to our function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ServiceAccount<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">namespace</span>:<span style="color:#bbb"> </span>fission-function<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">---</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterRole<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>rbac.authorization.k8s.io/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete-cluster-role<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">rules</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;configmaps&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;secrets&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;get&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;pods&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;get&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;list&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;delete&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;events&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;*&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">apiGroups</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;fission.io&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">resources</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;packages&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">verbs</span>:<span style="color:#bbb"> </span>[<span style="color:#b44">&#34;get&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;list&#34;</span>]<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">---</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterRoleBinding<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>rbac.authorization.k8s.io/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete-cluster-role-binding<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">roleRef</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterRole<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete-cluster-role<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">apiGroup</span>:<span style="color:#bbb"> </span>rbac.authorization.k8s.io<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">subjects</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ServiceAccount<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">namespace</span>:<span style="color:#bbb"> </span>fission-function<span style="color:#bbb"> </span></span></span></code></pre></div><p>Let's create the service account with:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>$ kubectl apply -f sa-falco-pod-delete.yaml </span></span></code></pre></div><p>The <code>falco-pod-delete/handler.go</code> contains our function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-golang" data-lang="golang"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>main<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;io/ioutil&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;log&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;net/http&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/rest&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>kubeClient<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">init</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the in-cluster config</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>config,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>rest.<span style="color:#00a000">InClusterConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the clientset</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(config)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>[]<span style="color:#0b0;font-weight:bold">string</span>{<span style="color:#b44">&#34;kube-system&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-public&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-node-lease&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;falco&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;fission&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;fission-function&#34;</span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">Handler</span>(w<span style="color:#bbb"> </span>http.ResponseWriter,<span style="color:#bbb"> </span>r<span style="color:#bbb"> </span><span style="color:#666">*</span>http.Request)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>alert<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>r.Body<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">defer</span><span style="color:#bbb"> </span>r.Body.<span style="color:#00a000">Close</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>body,<span style="color:#bbb"> </span>_<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>ioutil.<span style="color:#00a000">ReadAll</span>(r.Body)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(body,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>alert)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;\n[ INFO ] Alert : %v\n&#34;</span>,<span style="color:#bbb"> </span>alert)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>podName<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SPodName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SNsName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">bool</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">for</span><span style="color:#bbb"> </span>_,<span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">range</span><span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">break</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>!critical<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>_,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Get</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.GetOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;\n[ WARN ] Failed to get pod &#39;%s&#39; in &#39;%s&#39; namespace&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Deleting pod %s from namespace %s&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;\n[ ERROR ] Failed to delete pod: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusInternalServerError)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">Write</span>([]<span style="color:#a2f">byte</span>(err.<span style="color:#00a000">Error</span>()))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusOK)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">Write</span>([]<span style="color:#a2f">byte</span>(<span style="color:#b44">&#34;OK&#34;</span>))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>A fission function requires an environment/runtime to run. The <code>yaml</code> definitions for the runtime, the function and the router are available under the <code>specs</code> directory.</p> <p>Now, we are ready to deploy our <em>falco-pod-delete</em> function using the specs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ fission spec apply </span></span><span style="display:flex;"><span>DeployUID: edc80e3e-7d1e-448c-aba8-c8cd75b3a1eb </span></span><span style="display:flex;"><span>Resources: </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Functions </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Environments </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Packages </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> Http Triggers </span></span><span style="display:flex;"><span> * <span style="color:#666">0</span> MessageQueue Triggers </span></span><span style="display:flex;"><span> * <span style="color:#666">0</span> Time Triggers </span></span><span style="display:flex;"><span> * <span style="color:#666">0</span> Kube Watchers </span></span><span style="display:flex;"><span> * <span style="color:#666">1</span> ArchiveUploadSpec </span></span><span style="display:flex;"><span>Validation Successful </span></span><span style="display:flex;"><span>Spec doesn<span style="">&#39;</span>t belong to Git Tree. </span></span><span style="display:flex;"><span><span style="color:#666">1</span> <span style="color:#a2f;font-weight:bold">function</span> created: falco-pod-delete </span></span><span style="display:flex;"><span><span style="color:#666">1</span> HTTPTrigger created: falco-pod-delete </span></span><span style="display:flex;"><span><span style="color:#666">1</span> environment created: go </span></span><span style="display:flex;"><span><span style="color:#666">1</span> package created: falco-pod-delete-d18f6a0b-e5a1-4275-9471-38d684ac4dfe </span></span></code></pre></div><p>Check if the package was built successfully for our fission function before moving to the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ fission pkg list </span></span><span style="display:flex;"><span>NAME BUILD_STATUS ENV LASTUPDATEDAT </span></span><span style="display:flex;"><span>falco-pod-delete-d18f6a0b-e5a1-4275-9471-38d684ac4dfe succeeded go <span style="color:#666">21</span> Jul <span style="color:#666">21</span> 08:26 IST </span></span></code></pre></div><h2 id="test-our-function">Test our function</h2> <p>We start by creating a dumb pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>AME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 11s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>19:27:21 up <span style="color:#666">50</span> min, load average: 0.11, 0.12, 0.11 </span></span></code></pre></div><p>As expected we got the result of our command, but, if we get the status of the pod we retrieve:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>πŸ’₯ <strong>It has been terminated</strong> πŸ’₯</p> <p>We can now check the logs of components.</p> <p>For <code>Falco</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs daemonset/falco --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;10:36:32.750441241: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=cbd3133ccac6 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=cbd3133ccac6 image=alpine) k8s.ns=default k8s.pod=alpine container=cbd3133ccac6&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-07-21T10:36:32.750441241Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;cbd3133ccac6&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1626863792750441241,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;10:37:09.101509967: Notice Unexpected connection to K8s API Server from container (command=fetcher -secret-dir /secrets -cfgmap-dir /configs -jaeger-collector-endpoint /userfunc k8s.ns=fission-function k8s.pod=poolmgr-go-default-516098-5bdbf8c8f5-g8gvc container=281c99ea33c2 image=fission/fetcher:1.13.1 connection=192.168.43.223:39526-&gt;10.100.0.1:443) k8s.ns=fission-function k8s.pod=poolmgr-go-default-516098-5bdbf8c8f5-g8gvc container=281c99ea33c2&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Contact K8S API Server From Container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-07-21T10:37:09.101509967Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;281c99ea33c2&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;fission/fetcher&#34;</span>,<span style="color:#b44">&#34;container.image.tag&#34;</span>:<span style="color:#b44">&#34;1.13.1&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1626863829101509967,<span style="color:#b44">&#34;fd.name&#34;</span>:<span style="color:#b44">&#34;192.168.43.223:39526-&gt;10.100.0.1:443&#34;</span>,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;fission-function&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;poolmgr-go-default-516098-5bdbf8c8f5-g8gvc&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;fetcher -secret-dir /secrets -cfgmap-dir /configs -jaeger-collector-endpoint /userfunc&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span>2021/07/21 10:37:13 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Fission - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/07/21 10:36:32 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Fission - Function Response : OK </span></span><span style="display:flex;"><span>2021/07/21 10:36:32 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Fission - Call Function <span style="color:#b44">&#34;falco-pod-delete&#34;</span> OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><p>For <em>falco-delete-pod</em> function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ fission <span style="color:#a2f;font-weight:bold">function</span> logs -f --name falco-pod-delete </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>2021-07-21 10:47:27.206605532 +0000 UTC<span style="color:#666">]</span> 2021/07/21 10:47:27 Deleting pod alpine from namespace default </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>With this really simple example, we got another way to create a Response Engine with amazing pieces of software from the Open Source world. We only scratched the surface of possibilities, so don't hesitate to share with us your comments, ideas and successes.</p> <hr> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 8: Falcosidekick + Flux v2https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/Tue, 31 Aug 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7 : Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>Today, we will set up another KRE (Kubernetes Response Engine) based on <code>Flux (version 2)</code>. If you don't know about <code>Flux (version 2)</code>, let me explain it in a few words. <code>Flux (version 2)</code> is a tool for keeping Kubernetes clusters in sync with configuration sources (such as Git repositories) and automating updates to the configuration when new code is available to deploy.</p> <p>To learn more about <code>Flux (version 2)</code>, see <a href="https://fluxcd.io/docs/">Flux Documentation</a>.</p> <p><code>Flux (version 2)</code> might look like a GitOps tool. It is, in reality, another GitOps tool in that it watches Github repositories for configuration changes and keeps the current state and the desired state always in sync. It does that on top of Kubernetes by using a bunch of CRs (Custom Resources). However, unlike Knative Eventing, Tekton Triggers, and Argo Events, <code>Flux (version 2)</code> does not support an eventing system to forward events from one point to another.</p> <p>To set up KRE with <code>Flux (version 2)</code>, we will create a small project that listens to events and updates the GitHub repository, which <code>Flux (version 2)</code> monitors to alter the desired state. For example, get the event of a pwned pod, then change its replicas to zero within the deployment YAML file.</p> <p>The reference architecture given below illustrates the content of this blog.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/kre_flux_v2_gitops_toolkit.png" alt="kre_flux_v2_gitops_toolkit" loading="lazy" /> </p> <!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> <p><strong>Table of Contents</strong></p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#prerequisites">Prerequisites</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#tutorial">Tutorial</a> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#install-flux-v2---gitops-toolkit">Install Flux V2 - GitOps Toolkit</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#install-falco-event-listener">Install falco-event-listener</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#installing-falco-and-falcosidekick">Installing Falco and Falcosidekick</a></li> </ul> </li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/#test">Test</a></li> </ul> <!-- END doctoc generated TOC please keep comment here to allow auto update --> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>minikube v1.21.0</li> <li>helm v3.6.2+gee407bd</li> <li>kubectl v1.21.1</li> <li>ko v0.8.3</li> <li>flux v0.16.0</li> <li>gcloud v347.0.0</li> </ul> <h2 id="tutorial">Tutorial</h2> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ minikube config view </span></span><span style="display:flex;"><span>- cpus: <span style="color:#666">3</span> </span></span><span style="display:flex;"><span>- driver: virtualbox </span></span><span style="display:flex;"><span>- memory: <span style="color:#666">8192</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>minikube start </span></span></code></pre></div><h3 id="install-flux-v2-gitops-toolkit">Install Flux V2 - GitOps Toolkit</h3> <p>I highly recommended that you check out <a href="https://fluxcd.io/docs/get-started/">getting started</a> page of <code>Flux (version 2)</code>. It gives you detailed installation instructions for <code>Flux (version 2)</code>.</p> <p>For <code>Flux (version 2)</code> to create a GitHub repository for its resources, we must define the token and username information. Then, <code>Flux (version 2)</code> installed in a GitOps way, and <code>Flux (version 2)</code> will push its manifest to the repository.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">GITHUB_USER</span><span style="color:#666">=</span>&lt;username&gt; </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">GITHUB_TOKEN</span><span style="color:#666">=</span>&lt;token&gt; </span></span></code></pre></div><p>Once the necessary environment variables are defined, we can install <code>Flux (version 2)</code>. The following command will create and push its manifests to the repository, then install Flux components.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>flux bootstrap github <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --owner<span style="color:#666">=</span><span style="color:#b8860b">$GITHUB_USER</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --repository<span style="color:#666">=</span>fleet-infra <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --branch<span style="color:#666">=</span>main <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --path<span style="color:#666">=</span>./clusters/my-cluster <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --personal </span></span></code></pre></div><p>After the installation is complete, the next step is creating the alpine <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/alpine-gitsource.yaml">GitRepository</a> and <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-8-fluxv2/alpine-kustomization.yaml">Kustomization</a> CRD's (Custom Resource Definitions). For more information, see <a href="https://fluxcd.io/docs/components/">components</a>.</p> <p>Apply the CRD files as follows:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl apply -f https://raw.githubusercontent.com/developer-guy/kubernetes-response-engine-based-on-flux-v2-gitops-toolkit/master/alpine-gitsource.yaml </span></span><span style="display:flex;"><span>gitrepository.source.toolkit.fluxcd.io/alpine created </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ kubectl apply -f https://raw.githubusercontent.com/developer-guy/kubernetes-response-engine-based-on-flux-v2-gitops-toolkit/master/alpine-kustomization.yaml </span></span><span style="display:flex;"><span>kustomization.kustomize.toolkit.fluxcd.io/alpine created </span></span></code></pre></div><p>Alternatively, we can use the <a href="https://fluxcd.io/docs/cmd/#installation">Flux CLI</a>.</p> <p>To create <code>GitRepository</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>flux create <span style="color:#a2f">source</span> git alpine <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --url https://github.com/developer-guy/desired-state-repository <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --branch master <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --interval 30s </span></span></code></pre></div><p>To create <code>Kustomization</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>flux create kustomization alpine <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --source alpine <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --path <span style="color:#b44">&#34;./&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --prune <span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --validation client <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --interval 5m </span></span></code></pre></div><h3 id="install-falco-event-listener">Install falco-event-listener</h3> <p>As the name suggests, this program will listen to an event in the form of <code>CloudEvents.</code> This CloudEvents forwarded from Falcosidekick, a simple daemon for enhancing available outputs for Falco. After the successful receipt of the event, <code>falco-event-listener</code> will update the YAML definition to scale its replicas to zero based on the pieces of information given in the event.</p> <p>In most basic form, the architecture of the demo is:</p> <p>Falco w/HTTP --&gt; Falcosidekick w/CloudEvent --&gt; falco-event-listener w/HTTP --&gt; GitHub</p> <p>To learn more about <code>CloudEvents</code>, see <a href="https://cloudevents.io">cloudevents.io</a>.</p> <p>First, let us clone the <code>falco-event-listener</code> repository.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>git clone https://github.com/developer-guy/falco-event-listener </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> falco-event-listener </span></span></code></pre></div><p>Before installing this project, we have to do a couple of things.</p> <ul> <li>We have to <a href="https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token">create a GitHub PAT (Personal Access Token)</a> to be able to update the desired state configurations which are in the GitHub repository after we detect a malicious behavior related to our pod has detected.</li> </ul> <p>As you can see in the above arguments, we should pass <code>GITHUB_TOKEN</code> as an argument to our CLI application. The best option is storing <code>GITHUB_TOKEN</code> in a Kubernetes Secret and <a href="https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables">using Secret as environment variables</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create namespace falco </span></span><span style="display:flex;"><span>kubectl create secret generic github-secret <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --from-literal <span style="color:#b8860b">GITHUB_TOKEN</span><span style="color:#666">=</span><span style="color:#b8860b">$GITHUB_TOKEN</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace falco </span></span></code></pre></div><ul> <li>You might notice that we are using some URLs (--notify-url) within the flags of the project. Let me explain that why we need it a bit. As you might know, we are trying to set up some remediation engine here, so we have to react to those events thrown by the Falcosidekick as soon as possible. We defined an interval while creating a <code>GitRepository,</code> which means that <code>Flux (version 2)</code> will wait at least that long to sync configurations, so we have to notify <code>Flux (version 2)</code> controllers about changes once we edited the desired state by a process whose name is <code>falco-event-listener.</code> To notify the <code>Flux (version 2)</code> controllers about changes in Git or Helm repositories, we can set up webhooks and trigger a cluster reconciliation every time a source changes. For more detail, please <a href="https://fluxcd.io/docs/guides/webhook-receivers/">see</a>.</li> </ul> <p>There are different kinds of webhook receivers in <code>Flux (version 2)</code>, but we'll use the <code>generic</code> one in this guide.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-golang" data-lang="golang"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">const</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GenericReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;generic&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GenericHMACReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;generic-hmac&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GitHubReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;github&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GitLabReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;gitlab&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>BitbucketReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;bitbucket&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>HarborReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;harbor&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>DockerHubReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;dockerhub&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>QuayReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;quay&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>GCRReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;gcr&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>NexusReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;nexus&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ACRReceiver<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#b44">&#34;acr&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span></code></pre></div><p>Let us to create a <code>Receiver</code>, to do that we have to a couple of things again:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">TOKEN</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>head -c <span style="color:#666">12</span> /dev/urandom | sha256sum | cut -d <span style="color:#b44">&#39; &#39;</span> -f1<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">echo</span> <span style="color:#b8860b">$TOKEN</span> </span></span><span style="display:flex;"><span>0babd54d2b64d6d6fcd10a663cb6195773e968ba6642ca8c1a8a54df7b52efd0 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ kubectl -n flux-system create secret generic webhook-token <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--from-literal<span style="color:#666">=</span><span style="color:#b8860b">token</span><span style="color:#666">=</span><span style="color:#b8860b">$TOKEN</span> </span></span><span style="display:flex;"><span>secret/webhook-token created </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ cat <span style="color:#b44">&lt;&lt; EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: notification.toolkit.fluxcd.io/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Receiver </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: generic-receiver </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: flux-system </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> type: generic </span></span></span><span style="display:flex;"><span><span style="color:#b44"> secretRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: webhook-token </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiVersion: source.toolkit.fluxcd.io/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: GitRepository </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: alpine </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: flux-system </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span><span style="display:flex;"><span>receiver.notification.toolkit.fluxcd.io/generic-receiver created </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ cat <span style="color:#b44">&lt;&lt; EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Service </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: receiver </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: flux-system </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> type: ClusterIP </span></span></span><span style="display:flex;"><span><span style="color:#b44"> selector: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> app: notification-controller </span></span></span><span style="display:flex;"><span><span style="color:#b44"> ports: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: http </span></span></span><span style="display:flex;"><span><span style="color:#b44"> port: 80 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> protocol: TCP </span></span></span><span style="display:flex;"><span><span style="color:#b44"> targetPort: 9292 </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>This program is basically a CLI application and it uses the following <a href="https://github.com/developer-guy/falco-event-listener/blob/master/falcoeventlistener.yaml#L12">arguments as</a>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">args</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--owner&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;developer-guy&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># this is the owner of the desired state repository</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--repository&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;desired-state-repository&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># this is the repository which we store desired state configurations</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--file&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;alpine.yaml&#34;</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># this is the file that we are going to update</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--github-token&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;$(GITHUB_TOKEN)&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;--notify-url&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#b44">&#34;http://receiver.flux-system/$(WEBHOOK_URL)&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>Let us run our project on the Kubernetes cluster. To do that, we'll be using the <code>ko tool.</code> <code>ko,</code> created by Google, is a simple, fast container image builder for Go applications. For more information, see the <a href="https://github.com/google/ko">official repository</a> of the project.</p> <p>We'll use <code>Container Registry</code> as an image repository service provided by the Google Cloud to store, manage, and secure our container images. Alternatively, we could also use <code>DockerHub,</code> <code>quay.io,</code> and so on.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">WEBHOOK_URL</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get receivers -n flux-system generic-receiver -ojsonpath<span style="color:#666">=</span><span style="color:#b44">&#39;{.status.url}&#39;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">PROJECT_ID</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud config get-value project<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">KO_DOCKER_REPO</span><span style="color:#666">=</span>gcr.io/<span style="color:#b8860b">$PROJECT_ID</span> </span></span><span style="display:flex;"><span>envsubst &lt; falcoeventlistener.yaml | ko apply -f - </span></span></code></pre></div><blockquote> <p>If you are using a private container registry, don't forget to create a registry secret to pull and push images. You can follow the following guide to achieve this: <br> <a href="https://colinwilson.uk/2020/07/09/using-google-container-registry-with-kubernetes/">https://colinwilson.uk/2020/07/09/using-google-container-registry-with-kubernetes/</a></p> </blockquote> <p>If everything works as expected, we should see an output as given below:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-event-listener 1/1 Running <span style="color:#666">0</span> 59s </span></span></code></pre></div><p>The last step we have to do is installing <code>Falco</code> and <code>Falcosidekick</code> with configuring <code>Falcodekick</code> to forward events to our application.</p> <h3 id="installing-falco-and-falcosidekick">Installing Falco and Falcosidekick</h3> <p>For an up-to-date and detailed guide to installing Falco and Falcosidekick, see <a href="https://github.com/falcosecurity/charts/blob/master/falcosidekick/README.md#installing-the-chart">falcosidekick</a>).</p> <p>Let us enable <code>CloudEvents</code> support of <code>Falcosidekick.</code></p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span>helm repo update </span></span><span style="display:flex;"><span>helm upgrade --install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.config.cloudevents.address<span style="color:#666">=</span>http://falco-event-listener </span></span></code></pre></div><p>Verify that everything is working as expected:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-event-listener 1/1 Running <span style="color:#666">0</span> 5m19s </span></span><span style="display:flex;"><span>falco-falcosidekick-5854669c76-ddvrv 1/1 Running <span style="color:#666">0</span> 2m16s </span></span><span style="display:flex;"><span>falco-falcosidekick-5854669c76-rdlqn 1/1 Running <span style="color:#666">0</span> 2m16s </span></span><span style="display:flex;"><span>falco-falcosidekick-ui-7c5fc8dd54-q4qh9 1/1 Running <span style="color:#666">0</span> 2m16s </span></span><span style="display:flex;"><span>falco-vkl4f 1/1 Running <span style="color:#666">0</span> 2m16s </span></span></code></pre></div><h2 id="test">Test</h2> <p>To test this, we have to connect a shell within the container.</p> <p>Let's list the pods that we already have.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine-deployment-77789455d6-m7flp 1/1 Running <span style="color:#666">15</span> 3h6m </span></span><span style="display:flex;"><span>alpine-deployment-77789455d6-v7fkw 1/1 Running <span style="color:#666">15</span> 3h6m </span></span><span style="display:flex;"><span>podinfo-6df788c7b8-gs5qb 1/1 Running <span style="color:#666">0</span> 3h28m </span></span><span style="display:flex;"><span>podinfo-6df788c7b8-sfxvd 1/1 Running <span style="color:#666">0</span> 3h28m </span></span></code></pre></div><p>Now, run the following command to connect a shell.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -ti alpine-deployment-77789455d6-m7flp -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span>19:35:58 up 3:04, load average: 3.12, 1.91, 1.22 </span></span></code></pre></div><p>Once you run the command above, <code>Falco</code> will detect that malicious behavior and send it to the Falcosidekick via HTTP.</p> <p>You should see an output in the <code>Falco</code> logs as given below:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:35:58.532086161: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine-deployment-77789455d6-m7flp container=788861c3cf83 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=788861c3cf83 image=alpine) k8s.ns=default k8s.pod=alpine-deployment-77789455d6-m7flp container=788861c3cf83&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-06-13T19:35:58.532086161Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;788861c3cf83&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1623612958532086161,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine-deployment-77789455d6-m7flp&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span></code></pre></div><p>and the similar output below in the <code>Falcosidekick</code> logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>falco-falcosidekick-5854669c76-ddvrv falcosidekick 2021/06/13 19:51:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : CloudEvents - Send OK </span></span></code></pre></div><p>and the similar output below in the <code>falco-event-listener</code> logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>falco-event-listener falco-event-listener 2021/06/13 19:35:59 resp.Status<span style="color:#666">=</span><span style="color:#666">200</span> OK </span></span><span style="display:flex;"><span>falco-event-listener falco-event-listener 2021/06/13 19:35:59 resp.StatusCode<span style="color:#666">=</span><span style="color:#666">200</span> </span></span><span style="display:flex;"><span>falco-event-listener falco-event-listener 2021/06/13 19:35:59 <span style="color:#666">[</span>Terminal shell in container<span style="color:#666">]</span> scaled down to zero alpine-deployment-77789455d6-m7flp from default because 19:35:58.532086161: Notice A shell was spawned in a container with an attached terminal <span style="color:#666">(</span><span style="color:#b8860b">user</span><span style="color:#666">=</span>root <span style="color:#b8860b">user_loginuid</span><span style="color:#666">=</span>-1 k8s.ns<span style="color:#666">=</span>default k8s.pod<span style="color:#666">=</span>alpine-deployment-77789455d6-m7flp <span style="color:#b8860b">container</span><span style="color:#666">=</span>788861c3cf83 <span style="color:#b8860b">shell</span><span style="color:#666">=</span>sh <span style="color:#b8860b">parent</span><span style="color:#666">=</span>runc <span style="color:#b8860b">cmdline</span><span style="color:#666">=</span>sh -c uptime <span style="color:#b8860b">terminal</span><span style="color:#666">=</span><span style="color:#666">34816</span> <span style="color:#b8860b">container_id</span><span style="color:#666">=</span>788861c3cf83 <span style="color:#b8860b">image</span><span style="color:#666">=</span>alpine<span style="color:#666">)</span> k8s.ns<span style="color:#666">=</span>default k8s.pod<span style="color:#666">=</span>alpine-deployment-77789455d6-m7flp <span style="color:#b8860b">container</span><span style="color:#666">=</span>788861c3cf83 </span></span></code></pre></div><p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/kre_flux_v2_gitops_test_result.png" alt="kre_flux_v2_gitops_test_result" loading="lazy" /> </p> <p>You should also notice that a new commit is available in the <code>desired-state-repository</code> as given below:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/kre_flux_v2_gitops_update_desired_state_repository.png" alt="kre_flux_v2_gitops_update_desired_state_repository" loading="lazy" /> </p> <p>After the commit, <code>Flux (version 2)</code> will detect the change and sync the current state of the cluster with the desired state in the GitHub repository so that <code>Flux (version 2)</code> will terminate the alpine deployment pods.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods -l <span style="color:#b8860b">app</span><span style="color:#666">=</span>alpine </span></span><span style="display:flex;"><span>No resources found in default namespace. </span></span></code></pre></div>Blog: Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functionshttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/Tue, 29 Jun 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> </ul> </blockquote> <hr> <p>Earlier in this series, we have seen how to use Argo, Tekton, and Knative to trigger a resource after getting input from Falcosidekick. Recently, Falcosidekick received a new output type support for <a href="https://github.com/falcosecurity/falcosidekick/pull/241">Cloud Functions</a>.</p> <p>In this part, let us learn how we can use Falcosidekick and Cloud Functions to detect and delete a compromised pod.</p> <p>We will not go through what Cloud Functions is in-depth, however, you can always find a good overview about it in the <a href="https://cloud.google.com/functions">official documentation</a>.</p> <p>Here is the high-level overview architecture that shows what we want to achieve at the end of the day:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_functions_reference_arch.png" alt="cloud_functions_reference_arch" loading="lazy" /> </p> <p>You can find all the related code and resources in <a href="https://github.com/Dentrax/k8s-response-engine-gke-functions">this repository</a>.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>gcloud 342.0.0</li> <li>kubectl 1.20.5</li> </ul> <h2 id="tutorial">Tutorial</h2> <h3 id="provision-google-kubernetes-engine-gke-cluster">Provision Google Kubernetes Engine (GKE) Cluster</h3> <p>As the blog title said already, we need to create a <a href="https://cloud.google.com/kubernetes-engine">GKE cluster</a> with workload identity enabled:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud config get-value project<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">CLUSTER_NAME</span><span style="color:#666">=</span>falco-falcosidekick-demo </span></span><span style="display:flex;"><span>$ gcloud container clusters create <span style="color:#b8860b">$CLUSTER_NAME</span> --workload-pool <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span>.svc.id.goog </span></span><span style="display:flex;"><span>$ gcloud container clusters get-credentials <span style="color:#b8860b">$CLUSTER_NAME</span> </span></span></code></pre></div><h3 id="configure-iam-service-accounts">Configure IAM Service Accounts</h3> <p>We need to create a new <a href="https://cloud.google.com/iam/docs/service-accounts">Service Account</a> for target <code>$GOOGLE_PROJECT_ID</code> using IAM Binding <a href="https://cloud.google.com/iam/docs/policies">policies</a> to get access our Cloud Function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#666">=</span>falco-falcosidekick-sa </span></span><span style="display:flex;"><span>$ gcloud iam service-accounts create <span style="color:#b8860b">$SA_ACCOUNT</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ gcloud projects add-iam-policy-binding <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--member<span style="color:#666">=</span><span style="color:#b44">&#34;serviceAccount:</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">@</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">.iam.gserviceaccount.com&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--role<span style="color:#666">=</span><span style="color:#b44">&#34;roles/cloudfunctions.developer&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ gcloud projects add-iam-policy-binding <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--member<span style="color:#666">=</span><span style="color:#b44">&#34;serviceAccount:</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">@</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">.iam.gserviceaccount.com&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--role<span style="color:#666">=</span><span style="color:#b44">&#34;roles/cloudfunctions.invoker&#34;</span> </span></span></code></pre></div><p>In the beginning, we already enabled <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">WorkloadIdentity</a> feature for our GKE Cluster by setting <code>--workload-pool</code> flag. What we need to do here is to add a <code>iam.workloadIdentityUser</code> role for the given Service Account.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud iam service-accounts add-iam-policy-binding <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --role roles/iam.workloadIdentityUser <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --member <span style="color:#b44">&#34;serviceAccount:</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">.svc.id.goog[</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">FALCO_NAMESPACE</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">/falco-falcosidekick]&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span>@<span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span>.iam.gserviceaccount.com </span></span></code></pre></div><p>We need to <em>annotate</em> the <code>falco-falcosidekick</code> resource. So it can grant access for our Cluster. Set up the Falcosidekick SA to impersonate a GCP SA:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ kubectl annotate serviceaccount <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace <span style="color:#b8860b">$FALCO_NAMESPACE</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> falco-falcosidekick <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> iam.gke.io/gcp-service-account<span style="color:#666">=</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">SA_ACCOUNT</span><span style="color:#b68;font-weight:bold">}</span>@<span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">GOOGLE_PROJECT_ID</span><span style="color:#b68;font-weight:bold">}</span>.iam.gserviceaccount.com </span></span></code></pre></div><h3 id="create-necessary-cluster-role">Create Necessary Cluster Role</h3> <p>To limit function role access in the particular cluster, ensure that only SA has limited permissions within a particular namespace by using <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding">Role Bindings</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ kubectl create serviceaccount pod-destroyer </span></span><span style="display:flex;"><span>$ kubectl create clusterrole pod-destroyer </span></span><span style="display:flex;"><span> --verb<span style="color:#666">=</span>delete </span></span><span style="display:flex;"><span> --resource<span style="color:#666">=</span>pod <span style="color:#080;font-style:italic"># give only pod resource access for delete op </span> </span></span><span style="display:flex;"><span>$ kubectl create clusterrolebinding pod-destroyer </span></span><span style="display:flex;"><span> --clusterrole pod-destroyer </span></span><span style="display:flex;"><span> --serviceaccount default:pod-destroyer </span></span></code></pre></div><p>To obtain the Token from secret, we need to get <code>pod-deleter</code> ServiceAccount resource first:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ <span style="color:#b8860b">POD_DESTROYER_TOKEN</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get secrets <span style="color:#a2f;font-weight:bold">$(</span>kubectl get serviceaccounts pod-deleter -o json <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> | jq -r <span style="color:#b44">&#39;.secrets[0].name&#39;</span><span style="color:#a2f;font-weight:bold">)</span> -o json <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> | jq -r <span style="color:#b44">&#39;.data.token&#39;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> | base64 -D<span style="color:#a2f;font-weight:bold">)</span> </span></span></code></pre></div><p>Add the <code>pod-destroyer</code> user to your <em>KUBECONFIG</em>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Generate your KUBECONFIG</span> </span></span><span style="display:flex;"><span>$ kubectl config view --minify --flatten &gt; kubeconfig_pod-destroyer.yaml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Set the token at the end of yaml</span> </span></span><span style="display:flex;"><span>$ cat <span style="color:#b44">&lt;&lt; EOF &gt;&gt; kubeconfig_pod-destroyer.yaml </span></span></span><span style="display:flex;"><span><span style="color:#b44">users: </span></span></span><span style="display:flex;"><span><span style="color:#b44">- name: user.name </span></span></span><span style="display:flex;"><span><span style="color:#b44"> user: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> token: $POD_DE</span>STROYER_TOKEN </span></span></code></pre></div><p>We can test it with <a href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access">auth can-i</a> to check if roles are set correctly</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ kubectl auth can-i list deployments <span style="color:#080;font-style:italic"># no</span> </span></span><span style="display:flex;"><span>$ kubectl auth can-i delete pod <span style="color:#080;font-style:italic"># yes</span> </span></span><span style="display:flex;"><span>$ kubectl access-matrix <span style="color:#080;font-style:italic"># github.com/corneliusweig/rakkess</span> </span></span></code></pre></div><h3 id="create-secret-manager">Create Secret Manager</h3> <p>The main reason Secret Manager get involved our architecture is because we had to find a way out to initialize our <em>kubeclient</em> in our function by getting <code>pod-destroyer</code>'s <em>KUBECONFIG</em>.</p> <p>We need to create a new <em>secrets IAM policy</em> for the SA member to enable <a href="https://cloud.google.com/secret-manager/docs/managing-secrets">Managing Secrets</a>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud secrets add-iam-policy-binding pod-destroyer <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --role roles/secretmanager.secretAccessor <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --member serviceAccount:<span style="color:#b8860b">$SA_ACCOUNT</span>@<span style="color:#b8860b">$GOOLE_PROJECT_ID</span>.iam.gserviceaccount.com </span></span></code></pre></div><p>Create a new secret, called <code>pod-destroyer</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud secrets create pod-destroyer --replication-policy<span style="color:#666">=</span><span style="color:#b44">&#34;automatic&#34;</span> </span></span></code></pre></div><p>Push the our generated <code>kubeconfig_pod-destroyer.yaml</code> file as a new version:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ gcloud secrets versions add pod-destroyer --data-file<span style="color:#666">=</span>kubeconfig_pod-destroyer.yaml </span></span></code></pre></div><p>Finally, we are ready to deploy our Cloud Run function!</p> <h3 id="deploy-google-cloud-function">Deploy Google Cloud Function</h3> <p>In this demonstration our function will simply <em>delete the pwned Pod</em>, as we already pointed it out in the architecture diagram.</p> <ul> <li>The Go code</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>kill_the_pwned_pod<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>secretmanager<span style="color:#bbb"> </span><span style="color:#b44">&#34;cloud.google.com/go/secretmanager/apiv1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;fmt&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>secretmanagerpb<span style="color:#bbb"> </span><span style="color:#b44">&#34;google.golang.org/genproto/googleapis/cloud/secretmanager/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;io/ioutil&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/tools/clientcmd&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;net/http&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;os&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// Alert falco data structure</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>op<span style="color:#bbb"> </span>Operation<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Operation<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>clientSet<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// init initializes new Kubernetes ClientSet with given config</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">init</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// The resource name of the KUBECONFIG_SECRET_NAME in the format</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// `projects/*/secrets/*/versions/*`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>resource<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>os.<span style="color:#00a000">Getenv</span>(<span style="color:#b44">&#34;KUBECONFIG_SECRET_NAME&#34;</span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span><span style="color:#a2f">len</span>(resource)<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#666">0</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;$KUBECONFIG_SECRET_NAME env variable did not set&#34;</span>))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>secret,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#00a000">GetSecret</span>(resource)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;get secret: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeCfg,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>clientcmd.<span style="color:#00a000">NewClientConfigFromBytes</span>(secret)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;new client config: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>restCfg,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeCfg.<span style="color:#00a000">ClientConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;client config: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>cs,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(restCfg)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;unable to initialize config: %q&#34;</span>,<span style="color:#bbb"> </span>err))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>op<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>Operation{clientSet:<span style="color:#bbb"> </span>cs}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// KillThePwnedPod will executed for each Falco event</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">KillThePwnedPod</span>(w<span style="color:#bbb"> </span>http.ResponseWriter,<span style="color:#bbb"> </span>r<span style="color:#bbb"> </span><span style="color:#666">*</span>http.Request)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>body,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>ioutil.<span style="color:#00a000">ReadAll</span>(r.Body)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>http.<span style="color:#00a000">Error</span>(w,<span style="color:#bbb"> </span><span style="color:#b44">&#34;cannot read body&#34;</span>,<span style="color:#bbb"> </span>http.StatusBadRequest)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>event<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(body,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>event)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>http.<span style="color:#00a000">Error</span>(w,<span style="color:#bbb"> </span><span style="color:#b44">&#34;cannot parse body&#34;</span>,<span style="color:#bbb"> </span>http.StatusBadRequest)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>op.<span style="color:#00a000">PodDestroy</span>(event.OutputFields.K8SPodName,<span style="color:#bbb"> </span>event.OutputFields.K8SNsName)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>http.<span style="color:#00a000">Error</span>(w,<span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Sprintf</span>(<span style="color:#b44">&#34;cannot delete pod: %q&#34;</span>,<span style="color:#bbb"> </span>err),<span style="color:#bbb"> </span>http.StatusInternalServerError)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusOK)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// PodDestroy destroys the given pod name in the given namespace</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span>(d<span style="color:#bbb"> </span><span style="color:#666">*</span>Operation)<span style="color:#bbb"> </span><span style="color:#00a000">PodDestroy</span>(name,<span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span>)<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>d.clientSet.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">TODO</span>(),<span style="color:#bbb"> </span>name,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;unable to delete pod %s: %q&#34;</span>,<span style="color:#bbb"> </span>name,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// GetSecret returns the secret data.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">GetSecret</span>(name<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span>)<span style="color:#bbb"> </span>([]<span style="color:#0b0;font-weight:bold">byte</span>,<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span>)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ctx<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>context.<span style="color:#00a000">Background</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>client,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>secretmanager.<span style="color:#00a000">NewClient</span>(ctx)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;failed to create secretmanager client: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">defer</span><span style="color:#bbb"> </span>client.<span style="color:#00a000">Close</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>result,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>client.<span style="color:#00a000">AccessSecretVersion</span>(ctx,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>secretmanagerpb.AccessSecretVersionRequest{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Name:<span style="color:#bbb"> </span>name,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>fmt.<span style="color:#00a000">Errorf</span>(<span style="color:#b44">&#34;failed to access secret version: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>result.Payload.Data,<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>If you rather see it in <a href="https://github.com/Dentrax/k8s-response-engine-gke-functions.git">GitHub</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ git clone https://github.com/Dentrax/k8s-response-engine-gke-functions.git </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">cd</span> kubernetes-response-engine-based-on-gke-and-gcloudfunctions </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>We need to pass extra <code>--service-account</code> flag in order to get access to Secret Manager.</p> <p>Deploy the function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">FUNCTION_NAME</span><span style="color:#666">=</span>KillThePwnedPod </span></span><span style="display:flex;"><span>$ gcloud functions deploy <span style="color:#b8860b">$FUNCTION_NAME</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--runtime go113 --trigger-http <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--service-account <span style="color:#b8860b">$SA_ACCOUNT</span>@<span style="color:#b8860b">$GOOLE_PROJECT_ID</span>.iam.gserviceaccount.com </span></span><span style="display:flex;"><span>Allow unauthenticated invocations of new <span style="color:#a2f;font-weight:bold">function</span> <span style="color:#666">[</span>KillThePwnedPod<span style="color:#666">]</span>? <span style="color:#666">(</span>y/N<span style="color:#666">)</span>? N </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>Now, get the name of the function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">CLOUD_FUNCTION_NAME</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud functions describe --format<span style="color:#666">=</span>json <span style="color:#b8860b">$FUNCTION_NAME</span> | jq -r <span style="color:#b44">&#39;.name&#39;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span></code></pre></div><h3 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h3> <p>It is time to install <code>Falco</code>, <code>Falcosidekick</code> with <code>Cloud Function</code> output type enabled:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#a2f">export</span> <span style="color:#b8860b">FALCO_NAMESPACE</span><span style="color:#666">=</span>falco </span></span><span style="display:flex;"><span>$ kubectl create namespace <span style="color:#b8860b">$FALCO_NAMESPACE</span> </span></span><span style="display:flex;"><span>$ helm upgrade --install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--namespace <span style="color:#b8860b">$FALCO_NAMESPACE</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set ebpf.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.gcp.cloudfunctions.name<span style="color:#666">=</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">CLOUD_FUNCTION_NAME</span><span style="color:#b68;font-weight:bold">}</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> </span></span></code></pre></div><h3 id="test">Test</h3> <p>Try to run a busybox image and execute a command:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run busybox --image<span style="color:#666">=</span>busybox --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span></code></pre></div><p>Try to exec into:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -it busybox -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span></code></pre></div><p>We can check the logs of the <code>Falco</code>, and <code>Falcosidekick</code> to see what happened:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_function_output.png" alt="cloud_function_output" loading="lazy" /> </p> <p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick --namespace falco </span></span><span style="display:flex;"><span>2021/06/14 21:01:24 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : GCPCloudFunctions - Call Cloud Function OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>We got another way to create a Response Engine with amazing pieces of software from Open Source world. Of course, it's just the beginning, feel free to share your functions and workflows with the community for starting the creation of a true library of remediation methods.</p> <hr> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 6: Falcosidekick + Cloud Runhttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/Fri, 25 Jun 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>Recently, we added two new output-type support to Falcosidekick, and they are Cloud Functions, and Cloud Run. This blog post will discuss how to set up Kubernetes Response Engine on GKE (Google Kubernetes Engine) by using Cloud Run.</p> <p>Let's start by explaining a little bit about Cloud Run. <code>Cloud Run</code> is a managed compute platform that enables you to run containers that are invocable via requests or events. <code>Cloud Run</code> is serverless: it abstracts away all infrastructure management, so you can focus on what matters most β€” building great applications.</p> <p>For more information, see <a href="https://cloud.google.com/run/docs">Cloud Run</a>.</p> <p>Given below is a reference architecture of what's being explained in this blog.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_run_reference_arch.png" alt="cloud_run_reference_arch" loading="lazy" /> </p> <p>This demo might be useful for Google Cloud users who might already be using GKE with <code>Falco</code> to protect container runtime against malicious behaviors, and wants to take any action for them with <code>Cloud Run</code>.</p> <!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> <p><strong>Table of Contents</strong></p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#prerequisites">Prerequisites</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#tutorial">Tutorial</a> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#provision-gke-google-kubernetes-engine-cluster">Provision GKE (Google Kubernetes Engine) Cluster</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#deploy-cloud-run-function">Deploy Cloud Run Function</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#install-falco--falcosidekick">Install Falco + Falcosidekick</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#test">Test</a></li> </ul> </li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/#conclusion">Conclusion</a></li> </ul> <!-- END doctoc generated TOC please keep comment here to allow auto update --> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>gcloud 342.0.0</li> <li>ko 0.8.3</li> </ul> <h2 id="tutorial">Tutorial</h2> <h3 id="provision-gke-google-kubernetes-engine-cluster">Provision GKE (Google Kubernetes Engine) Cluster</h3> <p>First, let us create a GKE cluster.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#b8860b">GKE_CLUSTER_NAME</span><span style="color:#666">=</span>cloud-run-demo </span></span><span style="display:flex;"><span>$ gcloud container clusters create <span style="color:#b8860b">$GKE_CLUSTER_NAME</span> </span></span></code></pre></div><p>To learn more about the setup GKE Cluster, see <a href="https://cloud.google.com/kubernetes-engine/docs/quickstart#create_cluster">quickstart guide</a>.</p> <h3 id="deploy-cloud-run-function">Deploy Cloud Run Function</h3> <p>Once GKE is set up, we are ready to deploy Cloud Run. But before doing that, let us examine the responsibility of the Cloud Run function. As you can see in the reference architecture, this function will delete the pwned pods. To be able to do that, Cloud Run should be given appropriate permissions.</p> <p>There are two approaches to obtain these permissions.</p> <ul> <li>The first approach is creating a Kubernetes Service Account, an appropriate Role with granted permissions to delete pod resource, and a RoleBinding to bind Role to Service Account. Then create the kubeconfig file, package it up with the function code while deploying the Cloud Run function, and use this file to create a Kubernetes client.</li> </ul> <p>To learn more about the kubeconfig files, see <a href="https://ahmet.im/blog/mastering-kubeconfig/">kubeconfig</a>.</p> <ul> <li>The second approach is producing a valid ~/.kube/config with a library called google.golang.org/api/ within the function code. We are doing this because the representation of the valid ~/.kube/config file is <a href="https://pkg.go.dev/k8s.io/client-go@v0.21.1/tools/clientcmd/api#Config">clientcmd/api/Config</a> in Go.</li> </ul> <p>We'll go with the second approach in this demo. Thanks to Scott Blum and his detailed <a href="https://bionic.fullstory.com/connect-to-google-kubernetes-with-gcp-credentials-and-pure-golang/">blog post</a> on this topic. I highly recommend that you check that out.</p> <p>Let's deploy the function. If you want to take a look at the function code, see the <a href="#ZgotmplZ">repository</a>.</p> <p>Note that we're going to use the ko tool to build and push our container image which is created by Google. ko is a simple and fast container image builder for Go applications.</p> <p>To learn more, see the <a href="https://github.com/google/ko">official repository</a> of the project.</p> <p>We are also going to use Container Registry as an image repository service provided by the Google Cloud to store, manage, and secure your Docker container images. Alternatively, you can also use DockerHub, quay.io, etc.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ git clone https://github.com/developer-guy/kubernetes-response-engine-based-on-gke-and-cloud-run.git </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">cd</span> kubernetes-response-engine-based-on-gke-and-cloud-run </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">GKE_CLUSTER_NAME</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl config view --minify -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#39;{.clusters[].name}{&#34;\n&#34;}&#39;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">PROJECT_ID</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud config get-value project<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">FUNCTION_NAME</span><span style="color:#666">=</span>pod-deleter </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">export</span> <span style="color:#b8860b">KO_DOCKER_REPO</span><span style="color:#666">=</span>gcr.io/<span style="color:#b8860b">$PROJECT_ID</span> <span style="color:#080;font-style:italic"># Please, change this variable if you are not using Container Registry.</span> </span></span><span style="display:flex;"><span>$ gcloud config <span style="color:#a2f">set</span> run/region us-west1 </span></span><span style="display:flex;"><span>$ gcloud config <span style="color:#a2f">set</span> run/platform managed </span></span><span style="display:flex;"><span>$ gcloud run deploy <span style="color:#b8860b">$FUNCTION_NAME</span> --image<span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>ko publish .<span style="color:#a2f;font-weight:bold">)</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set-env-vars <span style="color:#b8860b">GKE_CLUSTER_NAME</span><span style="color:#666">=</span><span style="color:#b8860b">$GKE_CLUSTER_NAME</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set-env-vars <span style="color:#b8860b">PROJECT_ID</span><span style="color:#666">=</span><span style="color:#b8860b">$PROJECT_ID</span> </span></span><span style="display:flex;"><span>... </span></span><span style="display:flex;"><span>Allow unauthenticated invocations to <span style="color:#666">[</span>pod-deleter<span style="color:#666">]</span> <span style="color:#666">(</span>y/N<span style="color:#666">)</span>? N </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Deploying container to Cloud Run service <span style="color:#666">[</span>pod-deleter<span style="color:#666">]</span> in project <span style="color:#666">[</span>developerguy-311909<span style="color:#666">]</span> region <span style="color:#666">[</span>us-west1<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>βœ“ Deploying... Done. </span></span><span style="display:flex;"><span> βœ“ Creating Revision... </span></span><span style="display:flex;"><span> βœ“ Routing traffic... </span></span><span style="display:flex;"><span>Done. </span></span><span style="display:flex;"><span>Service <span style="color:#666">[</span>pod-deleter<span style="color:#666">]</span> revision <span style="color:#666">[</span>pod-deleter-00002-cej<span style="color:#666">]</span> has been deployed and is serving <span style="color:#666">100</span> percent of traffic. </span></span><span style="display:flex;"><span>Service URL: https://pod-deleter-uoz6q2wria-uw.a.run.app </span></span></code></pre></div><h3 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h3> <p>Now, it is time to set up <code>Falco</code>, <code>Falcosidekick</code> with the <code>Cloud Run</code> output type enabled.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl create namespace falco </span></span><span style="display:flex;"><span>$ helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>$ helm install falco falcosecurity/falco --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set ebpf.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.gcp.cloudrun.endpoint<span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud run services list --format json | jq -r <span style="color:#b44">&#34;.[] | select(.metadata.name==\&#34;</span><span style="color:#b8860b">$FUNCTION_NAME</span><span style="color:#b44">\&#34;) | .status.address.url&#34;</span><span style="color:#a2f;font-weight:bold">)</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.gcp.cloudrun.jwt<span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>gcloud auth print-identity-token<span style="color:#a2f;font-weight:bold">)</span> </span></span></code></pre></div><p>Check the logs to see if <code>Cloud Run</code> output enabled for Falcosidekick.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs -f falco-falcosidekick-7cd7bc6859-2nd9t --namespace falco </span></span><span style="display:flex;"><span>falco-falcosidekick-7cd7bc6859-2nd9t falcosidekick 2021/06/07 16:03:14 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : <span style="color:#666">[</span>GCPCloudRun WebUI<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>falco-falcosidekick-7cd7bc6859-2nd9t falcosidekick 2021/06/07 16:03:14 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on :2801 </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>If you see the GCPCloudRun in the list of enabled outputs, you can confirm that everything is working as expected πŸ‘.</p> <h3 id="test">Test</h3> <p>Let us start by creating a test pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>AME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 11s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span>19:27:21 up <span style="color:#666">50</span> min, load average: 0.11, 0.12, 0.11 </span></span></code></pre></div><p>As expected the command returned the output. However, the status of the pod we retrieved is Terminating as follows:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>To investigate further, check the logs of the Cloud Run function from the Google Cloud Console:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/cloud_run_function_outout.png" alt="cloud_run_function_output" loading="lazy" /> </p> <p>Let us check the logs of Falco and Falcosidekick to see what happened.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> $ kubectl logs daemonset/falco --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:27:21.002873265: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=97c9868ea832 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=97c9868ea832 image=alpine) k8s.ns=default k8s.pod=alpine container=97c9868ea832&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-04-10T19:27:21.002873265Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;97c9868ea832&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1618082841002873265,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick --namespace falco </span></span><span style="display:flex;"><span>2021/06/07 16:03:15 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : GCPCloudRun - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/06/07 16:03:15 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : GCPCloudRun - Function Response : OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>We got another way to create a Response Engine with amazing pieces of software from the Open Source world. Of course, it's just the beginning, feel free to share your functions and workflows with the community for creating a library of remediation methods.</p> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 5: Falcosidekick + Argohttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/Sun, 23 May 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>The Open Source ecosystem is very vibrant, there are many ways to create a Kubernetes Response Engine based on our dynamic duo, <code>Falco</code> + <code>Falcosidekick</code>. Today, we will use two components of the CNCF project <code>Argo</code>:</p> <ul> <li><a href="https://argoproj.github.io/projects/argo-events"><code>Argo Events</code></a>, will receive events from <code>Falcosidekick</code> and push into it event bus.</li> <li><a href="https://argoproj.github.io/projects/argo"><code>Argo Workflow</code></a>, will listen the event bus and then trigger the workflow if certain criteria are encountered.</li> </ul> <p>Like we did for previous examples with <code>Kubeless</code>, <code>OpenFaas</code> and <code>Knative</code>, we'll address the situation where a shell is spawned in a pod and we want to remediate that by deleting it.</p> <p>This is how we will set this up:</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ detect β”‚ β”‚ push β”‚ β”‚ β”‚ pwned pod β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ί falco β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ί falcosidekick β”œβ”€β”€β”€β”€β” β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β–²β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ notify β”‚ β”‚ β”‚ β”‚ delete β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ └──── deletion pod ◄─────────── argo workflow β”‚ β”‚ argo events β”‚ β”‚ β”‚ create β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–²β”€β”€β”˜ β””β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ trigger β”‚ β”‚ push β”‚ β”‚ β”Œβ”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β” β”‚ bus β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ </code></pre><h2 id="requirements">Requirements</h2> <p>We require a <code>kubernetes</code> cluster running at least <code>1.17</code> release, <a href="https://helm.sh"><code>helm</code></a> and <code>kubectl</code> installed in your locale environment.</p> <h2 id="installation-of-argo-events">Installation of Argo Events</h2> <p>We simply follow the <a href="https://argoproj.github.io/argo-events/installation/">official documentation</a>.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl create namespace argo-events kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/install.yaml kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/install-validating-webhook.yaml kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/eventbus/native.yaml </code></pre><h2 id="installation-of-argo-workflow">Installation of Argo Workflow</h2> <p>Again, the <a href="https://argoproj.github.io/argo-workflows/installation/">official documentation</a> will help us.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl create namespace argo kubectl apply -n argo -f https://raw.githubusercontent.com/argoproj/argo-workflows/stable/manifests/install.yaml kubectl patch -n argo cm workflow-controller-configmap -p &#39;{&#34;data&#34;: {&#34;containerRuntimeExecutor&#34;: &#34;pns&#34;}}&#39; </code></pre><p>The <code>kubectl patch</code> is there for allowing the workflows to run in <code>minikube</code>, <code>kind</code>, etc. See <a href="https://argoproj.github.io/argo-workflows/workflow-executors/">docs</a> about Workflow Executors to learn more about.</p> <p>After a while, you should have access to <code>Argo Workflow</code> UI through a dport-forward:</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl port-forward svc/argo-server -n argo 2746:2746 &amp; </code></pre><p>The link is <a href="https://localhost:2746">https://localhost:2746</a> (you can ignore the certificate error, we're in a lab πŸ˜‰).</p> <h2 id="creation-of-the-event-source">Creation of the Event Source</h2> <p>We'll use an <code>Event Source</code> with <code>Webhook</code> type. It will receive <code>Falco</code> events from <code>Falcosidekick</code> and push them then into the Event Bus.</p> <p>This component is pretty easy to understand. <code>Falcosidekick</code> will have to <strong>POST</strong> the events to an endpoint <strong>/falco</strong> of a service opened on port <strong>12000</strong>. <em>Easy</em>.</p> <pre tabindex="0"><code class="language-yaml+" data-lang="yaml+">cat &lt;&lt;EOF | kubectl apply -n argo-events -f - apiVersion: argoproj.io/v1alpha1 kind: EventSource metadata: name: webhook-falco namespace: argo-events spec: service: ports: - port: 12000 targetPort: 12000 webhook: # event-source can run multiple HTTP servers. Simply define a unique port to start a new HTTP server falco-event: # port to run HTTP server on port: &#34;12000&#34; # endpoint to listen to endpoint: /falco # HTTP request method to allow. In this case, only POST requests are accepted method: POST EOF </code></pre><p>As expected, we now have a new service which will listen events from <code>Falcosidekick</code> on port <strong>12000</strong> and endpoint <strong>/falco</strong>:</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl get svc -n argo-events NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE webhook-falco-eventsource-svc ClusterIP 10.43.117.26 &lt;none&gt; 12000/TCP 11m </code></pre><h2 id="creation-of-the-sensor">Creation of the Sensor</h2> <p>In <code>Argo Events</code> architecture, <code>Sensors</code> are responsible for listening to the Event Bus and triggering <em>something</em> should the criteria we set match. In our case, our <code>Sensor</code>:</p> <ul> <li>listen only events for pushed by <strong>webhook-falco</strong> <code>Event Source</code></li> <li>consider only events where the <strong>body</strong> (in JSON) contains the value <strong>Terminal shell in container</strong> for field with key <strong>rule</strong>, we want to match for only this <strong>Falco</strong> rule in one word.</li> <li>trigger a <strong>workflow</strong> based on a template with our event as input</li> </ul> <p>First, create the <strong>Service Account</strong> which allows our <code>Sensor</code> will.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo-events -f - apiVersion: v1 kind: ServiceAccount metadata: namespace: argo-events name: sensor-terminal-shell-container-sa --- # Similarly you can use a ClusterRole and ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sensor-terminal-shell-container-role namespace: argo-events rules: - apiGroups: - argoproj.io verbs: - &#34;*&#34; resources: - workflows - workflowtemplates - cronworkflows - clusterworkflowtemplates --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: sensor-terminal-shell-container-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: sensor-terminal-shell-container-role subjects: - kind: ServiceAccount name: sensor-terminal-shell-container-sa namespace: argo-events EOF </code></pre><p>And now we deploy our <code>Sensor</code>.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo-events -f - apiVersion: argoproj.io/v1alpha1 kind: Sensor metadata: name: terminal-shell-container namespace: argo-events spec: template: serviceAccountName: sensor-terminal-shell-container-sa dependencies: - name: falco-event eventSourceName: webhook-falco eventName: falco-event filters: data: - path: body.rule type: string value: - &#34;Terminal shell in container&#34; triggers: - template: name: delete-pod-trigger argoWorkflow: group: argoproj.io version: v1alpha1 resource: workflows operation: submit parameters: - src: dependencyName: falco-event dest: spec.arguments.parameters.0.value source: resource: apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: generateName: delete-pod- namespace: argo spec: workflowTemplateRef: name: delete-pod-template arguments: parameters: - name: falco-event value: {} EOF </code></pre><h2 id="creation-of-the-workflow-template">Creation of the Workflow Template</h2> <p>There is one piece missing in our <code>Argo</code> stack, we mentioned a template above, we logically need to create it too, with the service account it needs.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo -f - apiVersion: v1 kind: ServiceAccount metadata: name: delete-pod-sa namespace: argo --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: delete-pod-sa-cluster-role rules: - apiGroups: [&#34;&#34;] resources: [&#34;pods&#34;] verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;, &#34;patch&#34;, &#34;watch&#34;] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: delete-pod-sa-cluster-role-binding roleRef: kind: ClusterRole name: delete-pod-sa-cluster-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: delete-pod-sa namespace: argo EOF </code></pre><pre tabindex="0"><code class="language-shell+" data-lang="shell+">cat &lt;&lt;EOF | kubectl apply -n argo -f - apiVersion: argoproj.io/v1alpha1 kind: WorkflowTemplate metadata: name: delete-pod-template namespace: argo spec: entrypoint: delete-pod serviceAccountName: delete-pod-sa arguments: parameters: - name: falco-event value: &#34;{}&#34; templates: - name: delete-pod inputs: parameters: - name: falco-event container: image: devopps/kubernetes-response-engine-based-on-event-driven-workflow@sha256:22ee203a33fe88f0f99968daebdcea0ca52c8a3d6f7af4c823ed78ac15b7c5db env: - name: BODY value: &#34;{{inputs.parameters.falco-event}}&#34; EOF </code></pre><p><code>Argo Workflow</code> runs all workflow steps inside their own pods, we'll use for this tutorial a <em>Golang</em> image developped by <a href="https://github.com/developer-guy">@developer-guy</a> (who wrote the <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Part 2</a> of this series πŸ˜„), the sources are <a href="https://github.com/developer-guy/kubernetes-response-engine-based-on-event-driven-workflow/blob/master/main.go">there</a>.</p> <p>At this stage, everything is ready to receive events from <code>Falco</code> and protect our cluster. If you go in <code>Argo Workflow</code> UI you will find the architecture we described at beginning.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-event-flow.png" alt="Event Flow for our Response Engine" loading="lazy" /> </p> <h2 id="installation-of-falco-and-falcosidekick">Installation of Falco and Falcosidekick</h2> <p>Last but not least, it's time to install our beloved <code>Falco</code> and <code>Falcosidekick</code> and connect them to our shiny new Response Engine.</p> <p>As with other posts of this series we'll use <code>Helm</code> as conveniant installation method.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl create ns falco helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco \ --namespace falco \ --set falcosidekick.enabled=true \ --set falcosidekick.config.webhook.address=http://webhook-falco-eventsource-svc.argo-events.svc.cluster.local:12000/falco </code></pre><p>Remember the service we &quot;mentioned&quot; earlier? This is it in its FQDN format as an endpoint.</p> <h2 id="test-our-response-engine">Test our Response Engine</h2> <p>Let's delete pwned pod !</p> <p>We'll simulate a <em>webshell</em> by executing a shell command into a running pod.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl run alpine -n default --image=alpine --restart=&#39;Never&#39; -- sh -c &#34;sleep 6000&#34; kubectl get pods -n default </code></pre><pre tabindex="0"><code class="language-shell+" data-lang="shell+">NAME READY STATUS RESTARTS AGE alpine 1/1 Running 0 8s </code></pre><p>Run a <em>shell</em> command inside.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl exec -i --tty alpine -n default -- sh -c &#34;uptime&#34; 22:03:23 up 44 min, load average: 0.07, 0.13, 0.19 </code></pre><p>If you're quick enough, you may see the termination of the pod.</p> <pre tabindex="0"><code class="language-shell+" data-lang="shell+">kubectl get pods -n default </code></pre><pre tabindex="0"><code class="language-shell+" data-lang="shell+">NAME READY STATUS RESTARTS AGE alpine 1/1 Terminating 0 8s </code></pre><p>And in <code>Argo Workflow</code> UI.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-deletion-1.png" alt="Deletion 1 for our Response Engine" loading="lazy" /> </p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-deletion-2.png" alt="Deletion 2 for our Response Engine" loading="lazy" /> </p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/argo-workflow-response-engine-deletion-3.png" alt="Deletion 3 for our Response Engine" loading="lazy" /> </p> <p>πŸ‘</p> <h2 id="go-a-little-further-with-argo">Go a little further with Argo</h2> <p>We can even go further by deploying all components with <code>Argo CD</code>, another project from <code>Argo</code> team. You can find out all you need in this <a href="https://github.com/Issif/argo-falco">repo</a>.</p> <p>Here a quick demo of the results with the exact same workflow we just created in this tutorial. <div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"> <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/X3GE3rHBFNM?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe> </div> </p> <h2 id="conclusion">Conclusion</h2> <p>We got another way to create a Response Engine with amazing pieces of software from Open Source world. Of course, it's just the beginning, feel free to share your functions and workflows with the community for starting the creation of a true library of remediation methods.</p> <hr> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 4: Falcosidekick + Tektonhttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/Fri, 14 May 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <h2 id="falcosidekick-tekton">Falcosidekick + Tekton</h2> <p>Earler in this series we have seen how to use <a href="https://kubeless.io/">Kubeless</a>, <a href="https://www.openfaas.com/">OpenFaas</a> and <a href="https://knative.dev/">Knative</a> to trigger a pod after getting input from falcosidekick to delete a compromised pod.</p> <p>In this part I will showcase how we can use <a href="https://tekton.dev">Tekton</a> and not have to add any extra complexity to your cluster by adding a serverless runtime.</p> <p>I won't go through how Tekton works in depth but, you can find a good overview in the <a href="https://tekton.dev/docs/overview/">official docs</a>. But here is the crash course:</p> <ul> <li>Tekton is built to be reusable.</li> <li>The smallest part of tekton is a <strong>step</strong>, a step can be something like this: <ul> <li>Run unit tests</li> <li>Run linting</li> </ul> </li> <li>In a <strong>task</strong> you can have multiple steps.</li> <li>A <strong>pipeline</strong> consist of one or multiple tasks.</li> <li>To trigger a pipeline to actually run you need a <strong>pipelinerun</strong> or a <strong>trigger-template</strong>.</li> </ul> <p>Tekton also supports eventlisteners that is used to listen for webhooks. Normally these webhooks listen for incoming changes to a git repo, for example a PR. But we will use it to listen for Falco events.</p> <p>You can find all the yaml and code in my <a href="https://github.com/NissesSenap/falcosidekick-tekton/tree/falco">repo</a>.</p> <h3 id="prerequisites">Prerequisites</h3> <p>As always within Kubernetes we need a few tools, I have used the following versions of Helm, Minikube and kubectl in my setup.</p> <ul> <li>Minikube v1.19.0</li> <li>Helm v3.4.2</li> <li>kubectl v1.20.5</li> </ul> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <p>I'm sure you can use a <a href="https://github.com/kubernetes-sigs/kind">kind</a> cluster as well to follow along, but falco complained a bit when I tried and I was too lazy to check out what extra flags I need so I went with minikube.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>minikube start --cpus <span style="color:#666">3</span> --memory <span style="color:#666">8192</span> --vm-driver virtualbox </span></span></code></pre></div><h3 id="install-tekton">Install Tekton</h3> <p>Install Tekton pipelines and triggers. When doing this in production I recommend the <a href="https://github.com/tektoncd/operator">Tekton operator</a> but for now let us use some pure yaml.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml </span></span><span style="display:flex;"><span>kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml </span></span></code></pre></div><p>Within a few seconds you should be able to see a few pods in the tekton-pipelines namespace.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n tekton-pipelines </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>tekton-pipelines-controller-6b94f5f96-cmf8m 1/1 Running <span style="color:#666">0</span> 1h </span></span><span style="display:flex;"><span>tekton-pipelines-webhook-5bfbbd6475-fmjp4 1/1 Running <span style="color:#666">0</span> 1h </span></span><span style="display:flex;"><span>tekton-triggers-controller-7cbd49fbb8-p4lrz 1/1 Running <span style="color:#666">0</span> 1h </span></span><span style="display:flex;"><span>tekton-triggers-webhook-748fb7778c-w6zxv 1/1 Running <span style="color:#666">0</span> 1h </span></span></code></pre></div><p>If you want a deeper understanding how Tekton triggers work check out the <a href="https://github.com/tektoncd/triggers/tree/v0.13.0/docs/getting-started">getting-started guide</a>.</p> <h3 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h3> <p>Create the falco namespace and add the helm repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create namespace falco </span></span><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span>helm repo update </span></span></code></pre></div><p>For simplicity and long term usability let us create a custom values file and start falco.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;&#39;EOF&#39; &gt;&gt; values.yaml </span></span></span><span style="display:flex;"><span><span style="color:#b44">falcosidekick: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> config: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> webhook: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> address: http://el-falco-listener.falcoresponse.svc.cluster.local:8080 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> enabled: true </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44">customRules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # Applications which are expected to communicate with the Kubernetes API </span></span></span><span style="display:flex;"><span><span style="color:#b44"> rules_user_known_k8s_api_callers.yaml: |- </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - macro: user_known_contact_k8s_api_server_activities </span></span></span><span style="display:flex;"><span><span style="color:#b44"> condition: &gt; </span></span></span><span style="display:flex;"><span><span style="color:#b44"> (container.image.repository = &#34;gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink&#34;) or </span></span></span><span style="display:flex;"><span><span style="color:#b44"> (container.image.repository = &#34;quay.io/nissessenap/poddeleter&#34;) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Install falco</span> </span></span><span style="display:flex;"><span>helm upgrade --install falco falcosecurity/falco --namespace falco -f values.yaml </span></span></code></pre></div><blockquote> <p>Note the customRules and the webhook address.</p> </blockquote> <p>We haven't setup this webhook address nor is there currently any reason for us to have customRules for eventlistenersink or poddeleter, but it will come. Both the Tekton event listener and my poddeleter does a few kubernetes API calls and we don't want falco generate alarms for our own infrastructure.</p> <p>You should be able to see falco and falcosidekick pods in the falco namespace:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods --namespace falco </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-44p4v 1/1 Running <span style="color:#666">0</span> 64m </span></span><span style="display:flex;"><span>falco-falcosidekick-779b87f446-8zf9m 1/1 Running <span style="color:#666">0</span> 2h </span></span><span style="display:flex;"><span>falco-falcosidekick-779b87f446-fdk55 1/1 Running <span style="color:#666">0</span> 2h </span></span></code></pre></div><h3 id="protect-me-falco">Protect me Falco</h3> <p>My current setup is rather harsh and will delete any pods that breaks any falco rule. In the future I plan to make both the go code and the tekton setup better and more flexible, hopefully this is something that we can do in the community.</p> <p>During this demo I will use the <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">Terminal Shell in container</a> since it's very easy to reproduce.</p> <p>So how does all this work?</p> <ul> <li>We start a random pod and perform a simple exec.</li> <li>Falco will notice that a pod have broken the rule</li> <li>Sends an event to Falcosidekick</li> <li>Sends a webhook to tekton event-listener</li> <li>Tekton triggers a new pipeline</li> <li>A task is started with a small go program that deletes the pod</li> </ul> <p>So let us look at some yaml.</p> <h4 id="the-go-code">The go code</h4> <p>I have adapted the code that Batuhan ApaydΔ±n wrote in <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Falcosidekick + OpenFaas = a Kubernetes Response Engine, Part 2</a> to listen for json in an environment variable instead of a http request.</p> <p>Below you can see the code, in short it does the following:</p> <ul> <li>Check for environment variable BODY.</li> <li>Unmarshal the data according to the Alert struct.</li> <li>Setups a kubernetes client, by calling setupKubeClient function.</li> <li>Calls the deletePod with a kubernetes client, the falcoEvent we gotten and a hash map of critical Namespaces.</li> <li>Check in the event that we got from falcosidekick and see if the pod that triggered the event is in our critical namespaces hash map.</li> <li>If it is return to the main and shutdown the application.</li> <li>Else deletes the pod in the namespace specified in the falcosidekick event.</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-main.go" data-lang="main.go"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>main<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;log&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;os&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/rest&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// Alert falco data structure</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">main</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">map</span>[<span style="color:#0b0;font-weight:bold">string</span>]<span style="color:#0b0;font-weight:bold">bool</span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-system&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-public&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-node-lease&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;falco&#34;</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span>,<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>falcoEvent<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>bodyReq<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>os.<span style="color:#00a000">Getenv</span>(<span style="color:#b44">&#34;BODY&#34;</span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>bodyReq<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;&#34;</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;Need to get environment variable BODY&#34;</span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>bodyReqByte<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>[]<span style="color:#a2f">byte</span>(bodyReq)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(bodyReqByte,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>falcoEvent)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;The data doesent match the struct %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#00a000">setupKubeClient</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;Unable to create in-cluster config: %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#00a000">deletePod</span>(kubeClient,<span style="color:#bbb"> </span>falcoEvent,<span style="color:#bbb"> </span>criticalNamespaces)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Fatalf</span>(<span style="color:#b44">&#34;Unable to delete pod due to err %v&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// setupKubeClient</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">setupKubeClient</span>()<span style="color:#bbb"> </span>(<span style="color:#666">*</span>kubernetes.Clientset,<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span>)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>config,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>rest.<span style="color:#00a000">InClusterConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the clientset</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(config)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span>,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">// deletePod, if not part of the criticalNamespaces the pod will be deleted</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">deletePod</span>(kubeClient<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset,<span style="color:#bbb"> </span>falcoEvent<span style="color:#bbb"> </span>Alert,<span style="color:#bbb"> </span>criticalNamespaces<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">map</span>[<span style="color:#0b0;font-weight:bold">string</span>]<span style="color:#0b0;font-weight:bold">bool</span>)<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">error</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>podName<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>falcoEvent.OutputFields.K8SPodName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>falcoEvent.OutputFields.K8SNsName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;PodName: %v &amp; Namespace: %v&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Rule: %v&#34;</span>,<span style="color:#bbb"> </span>falcoEvent.Rule)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>criticalNamespaces[namespace]<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;The pod %v won&#39;t be deleted due to it&#39;s part of the critical ns list: %v &#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Deleting pod %s from namespace %s&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>If you rather see it in <a href="https://raw.githubusercontent.com/NissesSenap/falcosidekick-tekton/falco/main.go">github</a>.</p> <p>Now that you know what I will make run in your cluster let us take a look at the Tekton yaml.</p> <h4 id="tekton-pipeline">Tekton pipeline</h4> <p>Create the falcoresponse namespace to do our tests in.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create ns falcoresponse </span></span></code></pre></div><h5 id="task">Task</h5> <p>So let us start with the smallest part, the task.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: tekton.dev/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Task </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> description: The entire msg from falco </span></span></span><span style="display:flex;"><span><span style="color:#b44"> steps: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> image: quay.io/nissessenap/poddeleter@sha256:ae94ec2c9f005573e31e4944d1055a0dd92ee7594e7e7e36a4540a1811977270 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> env: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: BODY </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(params.falco-event) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><ul> <li>The task needs a input variable falco-event.</li> <li>The step called pod-delete uses the poddeleter image.</li> <li>Step pod-delete sets the environment BODY from the input parameter called falco-event.</li> </ul> <h5 id="pipeline">Pipeline</h5> <p>Here you can see the reusability of tekton. This pipeline can easily add more tasks and other pipelines can use the exact same task as this one.</p> <p>Just like the task this pipeline expects a parameter called falco-event which it sends in to the pod-delete task.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: tekton.dev/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Pipeline </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete-pipeline </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> description: The entire msg from falco </span></span></span><span style="display:flex;"><span><span style="color:#b44"> tasks: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: run-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> taskRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(params.falco-event) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><h5 id="rbac">RBAC</h5> <p>We will be using two separate serviceAccounts, one for the event-listener and one for the poddeleter it self.</p> <p>So let us create these serviceAccounts and give them some access.</p> <p>Below you can find the event listener RBAC config.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Role </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-minimal </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # EventListeners need to be able to fetch all namespaced resources </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;triggers.tekton.dev&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> [&#34;eventlisteners&#34;, &#34;triggerbindings&#34;, &#34;triggertemplates&#34;, &#34;triggers&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;watch&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # configmaps is needed for updating logging config </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;configmaps&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;watch&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # Permissions to create resources in associated TriggerTemplates </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;tekton.dev&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pipelineruns&#34;, &#34;pipelineresources&#34;, &#34;taskruns&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;create&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;serviceaccounts&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;impersonate&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;policy&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;podsecuritypolicies&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resourceNames: [&#34;tekton-triggers&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;use&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: RoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: Role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-minimal </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-clusterrole </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> # EventListeners need to be able to fetch any clustertriggerbindings </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;triggers.tekton.dev&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;clustertriggerbindings&#34;, &#34;clusterinterceptors&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;watch&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-clusterbinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: tekton-triggers-example-clusterrole </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>And here is the poddeleter serviceAccount:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pods&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><h5 id="event-listener">Event listener</h5> <p>Finally time to configure the tekton webhook receiver. Just like rest of Tekton the event listener builds on multiple parts.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: triggers.tekton.dev/v1alpha1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: EventListener </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-listener </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> serviceAccountName: tekton-triggers-example-sa </span></span></span><span style="display:flex;"><span><span style="color:#b44"> triggers: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: cel-trig </span></span></span><span style="display:flex;"><span><span style="color:#b44"> bindings: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - ref: falco-pod-delete-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44"> template: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> ref: falco-pod-delete-trigger-template </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>It is possible to expose a event listener using a ingress, this is a rather normal use case if you want github to trigger a pipeline for example.</p> <blockquote> <p>I cannot stress this enough DO <strong>NOT</strong> MAKE THE EVENT LISTENER PUBLIC TO THE INTERNET. We haven't added any protection and this task have the power to kill pods in your cluster. Don't give a potential hacker this power!</p> </blockquote> <p>The event listener is rather complex and can do <a href="https://tekton.dev/docs/triggers/eventlisteners/">allot</a>. For example one way to improve this tekton pipeline could be to check for a specific Priority from Falco. This could be done with a <a href="https://tekton.dev/docs/triggers/eventlisteners/#cel-interceptors">cel interceptor</a> and filter on body.Priority.</p> <p>But for now let us just trigger on everything.</p> <p>The triggerBinding let us you define what data should be gathered from the incoming webhook. In this case I take the entire request body.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: triggers.tekton.dev/v1alpha1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: TriggerBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(body) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>We use the TriggerTemplate to call on the pipeline that we defined earlier using the parameter that the TriggerBinding gives us.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: triggers.tekton.dev/v1alpha1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: TriggerTemplate </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-trigger-template </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: falcoresponse </span></span></span><span style="display:flex;"><span><span style="color:#b44"> annotations: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> triggers.tekton.dev/old-escape-quotes: &#34;true&#34; </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> description: The entire msg from falco </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resourcetemplates: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiVersion: tekton.dev/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: PipelineRun </span></span></span><span style="display:flex;"><span><span style="color:#b44"> metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> generateName: falco-pod-delete-pipeline-run- </span></span></span><span style="display:flex;"><span><span style="color:#b44"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> serviceAccountName: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> pipelineRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: pod-delete-pipeline </span></span></span><span style="display:flex;"><span><span style="color:#b44"> params: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - name: falco-event </span></span></span><span style="display:flex;"><span><span style="color:#b44"> value: \$(tt.params.falco-event) </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><blockquote> <p>Notice the <a href="https://tekton.dev/docs/triggers/triggertemplates/#escaping-quoted-strings">annotations</a>, without it the pipeline will never get triggered.</p> </blockquote> <p>We define the serviceAccount to use in our pipeline/task, point to the pipeline that we should use. And what parameter to send down to the pipeline, notice the <strong>tt</strong> in front of parma. This is special syntax for TriggerBindings.</p> <p>The triggerTemplate was the final piece needed and you should see a pod spinning up in the falcoresponse namespace.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n falcoresponse </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>el-falco-listener-557786f598-zdmw2 1/1 Running <span style="color:#666">0</span> 2h </span></span></code></pre></div><h3 id="trigger-job">Trigger job</h3> <p>Finally it's time to test our setup.</p> <p>I would recommend that you start a second terminal for this part.</p> <p><strong>Terminal 1</strong> follow the falco logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs -f <span style="color:#a2f;font-weight:bold">$(</span>kubectl get pods -l <span style="color:#b8860b">app</span><span style="color:#666">=</span>falco -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.items[0].metadata.name}&#34;</span> -n falco<span style="color:#a2f;font-weight:bold">)</span> -n falco </span></span></code></pre></div><p><strong>Terminal 2</strong> let us trigger the Terminal Shell in container falco rule</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Start a alpine pod</span> </span></span><span style="display:flex;"><span>kubectl run alpine --namespace falcoresponse --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Trigger the rule breaking behavior</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace falcoresponse -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Watch for pods in falcoresponse namespace</span> </span></span><span style="display:flex;"><span>kubectl get pods -n falcoresponse -w </span></span></code></pre></div><p>In <strong>Terminal 1</strong> you should see something like this:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-txt" data-lang="txt"><span style="display:flex;"><span>* Setting up /usr/src links from host </span></span><span style="display:flex;"><span>* Running falco-driver-loader for: falco version=0.28.0, driver version=5c0b863ddade7a45568c0ac97d037422c9efb750 </span></span><span style="display:flex;"><span>* Running falco-driver-loader with: driver=module, compile=yes, download=yes </span></span><span style="display:flex;"><span>* Unloading falco module, if present </span></span><span style="display:flex;"><span>* Trying to load a system falco module, if present </span></span><span style="display:flex;"><span>* Success: falco module found and loaded with modprobe </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Falco version 0.28.0 (driver version 5c0b863ddade7a45568c0ac97d037422c9efb750) </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Falco initialized with configuration file /etc/falco/falco.yaml </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Loading rules from file /etc/falco/falco_rules.yaml: </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Loading rules from file /etc/falco/falco_rules.local.yaml: </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Loading rules from file /etc/falco/rules.d/rules_user_known_k8s_api_callers.yaml: </span></span><span style="display:flex;"><span>Sun May 2 18:00:10 2021: Starting internal webserver, listening on port 8765 </span></span><span style="display:flex;"><span>{&#34;output&#34;:&#34;20:24:10.361728219: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=falcoresponse k8s.pod=alpine container=6ac7d190134e shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=6ac7d190134e image=alpine) k8s.ns=falcoresponse k8s.pod=alpine container=6ac7d190134e k8s.ns=falcoresponse k8s.pod=alpine container=6ac7d190134e&#34;,&#34;priority&#34;:&#34;Notice&#34;,&#34;rule&#34;:&#34;Terminal shell in container&#34;,&#34;time&#34;:&#34;2021-05-02T20:24:10.361728219Z&#34;, &#34;output_fields&#34;: {&#34;container.id&#34;:&#34;6ac7d190134e&#34;,&#34;container.image.repository&#34;:&#34;alpine&#34;,&#34;evt.time&#34;:1619987050361728219,&#34;k8s.ns.name&#34;:&#34;falcoresponse&#34;,&#34;k8s.pod.name&#34;:&#34;alpine&#34;,&#34;proc.cmdline&#34;:&#34;sh -c uptime&#34;,&#34;proc.name&#34;:&#34;sh&#34;,&#34;proc.pname&#34;:&#34;runc&#34;,&#34;proc.tty&#34;:34816,&#34;user.loginuid&#34;:-1,&#34;user.name&#34;:&#34;root&#34;}} </span></span></code></pre></div><p>In <strong>Terminal 2</strong> you should see a pod starting and hopefully Complete without any errors and the alpine pod getting killed.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 0/1 Terminating <span style="color:#666">0</span> 1m7s </span></span><span style="display:flex;"><span>el-falco-listener-557786f598-znzk9 1/1 Running <span style="color:#666">0</span> 10m </span></span><span style="display:flex;"><span>falco-pod-delete-pipeline-run-w2vf8-run-pod-delete-jlxl7--mk44k 0/1 Completed <span style="color:#666">0</span> 59s </span></span></code></pre></div><blockquote> <p>Hurray our &quot;hacked&quot; pod have been killed</p> </blockquote> <p>If you look in the logs of the task</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs -f <span style="color:#a2f;font-weight:bold">$(</span>kubectl get pods -l tekton.dev/task<span style="color:#666">=</span>pod-delete -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.items[0].metadata.name}&#34;</span> -n falcoresponse<span style="color:#a2f;font-weight:bold">)</span> -n falcoresponse </span></span><span style="display:flex;"><span>2021/05/02 18:11:00 PodName: alpine &amp; Namespace: falcoresponse </span></span><span style="display:flex;"><span>2021/05/02 18:11:00 Rule: Terminal shell in container </span></span><span style="display:flex;"><span>2021/05/02 18:11:00 Deleting pod alpine from namespace falcoresponse </span></span></code></pre></div><h3 id="conclusion">Conclusion</h3> <p>This was a rather simple example on how we can use the power of tekton together with Falco to protect us from bad actors that is trying to take over pods in our cluster.</p> <p>As noted during this post there are a lot of potential improvements before this is production ready:</p> <ul> <li>The criticalNamespaces in our go code is currently hard-coded and needs to be input variable of some kind.</li> <li>We need to be able to delete pods depending on priority level, rule or something similar.</li> <li>To be able to debug pods we might need to shell in to them, we need a way to ignore pods temporary without the pod getting restarted. Probably a annotation to look for in the pod before deleting it.</li> <li>And probably many other needs that you can come up with.</li> </ul> <p>If you have any ideas/issues come and share them in the falco slack <a href="https://kubernetes.slack.com">https://kubernetes.slack.com</a> #falco.</p> <h4 id="tekton">Tekton</h4> <p>If you would like to find out more about Tekton:</p> <ul> <li>Get started in <a href="https://tekton.dev/">tekton.dev</a>.</li> <li>Check out the <a href="https://github.com/tektoncd">Tekton Project in GitHub</a>.</li> <li>Meet the maintainers on the <a href="https://tektoncd.slack.com//">TektonCD Slack</a>.</li> <li>Follow <a href="https://twitter.com/tektoncd">@tektoncd on Twitter</a>.</li> </ul> <h4 id="falco">Falco</h4> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="https://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 3: Falcosidekick + Knativehttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/Thu, 13 May 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>As the Cloud Native ecosystem grows and the idea that an integrator can browse the offerings and slap them together like an a la carte menu resonates. We call this <em>Thinking Cloud Native</em>.</p> <p><a href="http://falco.org/">Falco</a> already produced events, but in the form of a webhook with bespoke payloads, which is fine, unless you would like to integrate into an ecosystem for event routing. To enable this for Falco we had to think about how these events are moved from producer to consumer via something else. Enter: CloudEvents.</p> <p>What is CloudEvents? It is a specification for translating an event and the metadata onto a specific protocol and back. What? It lets you think about the event in a generic way without it being tied to particular choices the integration is making today, and with minor effort CloudEvents lets that integration change the protocol choice without changing the meaning of the event.</p> <p>This lossless property of CloudEvents means the integrator is free to choose middleware that also speaks CloudEvents and has its own choices of persistence and protocol, but the consumer of the event need not be aware of these translations that have happened between the producer and consumer.</p> <p>There are several choices that support CloudEvents today: Serverless.com Event Gateway, Argo, Google Cloud Pub/Sub, Azure Event Grid, and Knative Eventing. A more full list is at the <a href="https://github.com/cloudevents/spec/blob/v1.0.1/community/open-source.md">cloudevents/spec repo</a>.</p> <p>For this blog post, we are going to focus in on Falco+Knative and see what we can do with that a la carte selection.</p> <h2 id="falco-knative">Falco+Knative</h2> <p>What is Knative? It is two things: Knative Serving and Knative Eventing. Serving provides a container based scale to zero, scale real big functionality; as well as rainbow deploys, auto-TLS, domain mappings, and various knobs to control concurrency and scale traits. Eventing provides a thin abstraction on top of traditional message brokers (think Kafka or AMQP) that lets you compose your application without considering the message persistence choices in the moment (CloudEvents).</p> <p>From Knative Eventing, we will use two components: Broker and Trigger. A Knative Eventing Broker represents a event delivery and persistence layer, sort of an eventing mesh. A Knative Eventing Trigger works with the Broker to ask that a consumer be involved with a CloudEvent that matches some specified attributes. So the Broker is the stream of events, the Trigger is how you select events out of the stream and get them delivered.</p> <p>With Falco producing CloudEvents, we can point our alerts from Falco at the Knative Eventing Broker. Then create a Trigger that selects the Falco event we want to react to. But we also need something to consume the event and react!</p> <p>From Knative Serving, we can leverage a Knative Serving Service (KService). A KService looks like a lot like a Kubernetes deployment, but it is realized on the cluster as an autoscaling and routable component without the need for manually creating additional Kubernetes Services. KService can run any container as long as it is stateless, and the lifecycle is defined only in the context of an active HTTP request.</p> <p>To tie this up in a picture,</p> <pre tabindex="0"><code>Falco --[via Sidekick]--&gt; Broker --[via Trigger]--&gt; KService </code></pre><p>We are free to make the subscriber of the Trigger be <em>anything</em> we want it to be as long as it is routable from the Broker, and it accepts HTTP POSTs. The request will be a CloudEvent in Binary mode, and Falco makes JSON events, so the payload will be the standard JSON Falco is known for. In-fact, we can replace the KService in with a <a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubeless function</a> and it will work.</p> <h2 id="demo">Demo</h2> <p>To demonstrate this, we have prepared a simple example: We will detect root shell creations and delete that pod.</p> <h3 id="prerequisites">Prerequisites</h3> <ul> <li><a href="https://multipass.run/">multipass</a></li> <li><a href="https://kubernetes.io/">Kubernetes</a>,</li> <li><a href="https://kubernetes.io/docs/tasks/tools/#kubectl">kubectl</a></li> <li><a href="https://helm.sh/docs/intro/install/">Helm</a></li> </ul> <h3 id="k3s-cluster">K3s Cluster</h3> <p>For this blog post, we a will show the demo using k3s using multipass. Here is a cluster creation commands:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>multipass launch --name k3s-leader --cpus <span style="color:#666">2</span> --mem 2048M --disk 10G </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>multipass <span style="color:#a2f">exec</span> k3s-leader -- /bin/bash -c <span style="color:#b44">&#34;curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=644 sh -&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">K3S_IP_SERVER</span><span style="color:#666">=</span><span style="color:#b44">&#34;https://</span><span style="color:#a2f;font-weight:bold">$(</span>multipass info k3s-leader | grep <span style="color:#b44">&#34;IPv4&#34;</span> | awk -F<span style="color:#b44">&#39; &#39;</span> <span style="color:#b44">&#39;{print $2}&#39;</span><span style="color:#a2f;font-weight:bold">)</span><span style="color:#b44">:6443&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>multipass <span style="color:#a2f">exec</span> k3s-leader -- /bin/bash -c <span style="color:#b44">&#34;cat /etc/rancher/k3s/k3s.yaml&#34;</span> | sed <span style="color:#b44">&#34;s%https://127.0.0.1:6443%</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">K3S_IP_SERVER</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">%g&#34;</span> | sed <span style="color:#b44">&#34;s/default/k3s/g&#34;</span> &gt; ./k3s.yaml </span></span><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">KUBECONFIG</span><span style="color:#666">=</span>./k3s.yaml </span></span></code></pre></div><p>You should get this final output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>β•―Β°β–‘Β°<span style="color:#666">)</span>β•―οΈ΅ multipass launch --name k3s-leader --cpus <span style="color:#666">2</span> --mem 2048M --disk 10G </span></span><span style="display:flex;"><span>Launched: k3s-leader </span></span><span style="display:flex;"><span><span style="color:#666">(</span>β•―Β°β–‘Β°<span style="color:#666">)</span>β•―οΈ΅ multipass <span style="color:#a2f">exec</span> k3s-leader -- /bin/bash -c <span style="color:#b44">&#34;curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=644 sh -&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Finding release <span style="color:#a2f;font-weight:bold">for</span> channel stable </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Using v1.20.6+k3s1 as release </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Downloading <span style="color:#a2f">hash</span> https://github.com/k3s-io/k3s/releases/download/v1.20.6+k3s1/sha256sum-amd64.txt </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.20.6+k3s1/k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Verifying binary download </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Installing k3s to /usr/local/bin/k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating /usr/local/bin/kubectl symlink to k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating /usr/local/bin/crictl symlink to k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating /usr/local/bin/ctr symlink to k3s </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating killall script /usr/local/bin/k3s-killall.sh </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> Creating uninstall script /usr/local/bin/k3s-uninstall.sh </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> env: Creating environment file /etc/systemd/system/k3s.service.env </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> systemd: Creating service file /etc/systemd/system/k3s.service </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> systemd: Enabling k3s unit </span></span><span style="display:flex;"><span>Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service β†’ /etc/systemd/system/k3s.service. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>INFO<span style="color:#666">]</span> systemd: Starting k3s </span></span></code></pre></div><p>Now we have a bare bones k3s cluster!</p> <h3 id="install-knative">Install Knative</h3> <p>To install the rest of Knative into k3s:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Installs Knative Serving</span> </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/serving/releases/download/v0.22.0/serving-crds.yaml </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">wait</span> --for<span style="color:#666">=</span><span style="color:#b8860b">condition</span><span style="color:#666">=</span>Established --all crd </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/serving/releases/download/v0.22.0/serving-core.yaml </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/net-kourier/releases/download/v0.22.0/kourier.yaml </span></span><span style="display:flex;"><span>kubectl patch configmap/config-network <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --namespace knative-serving <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --type merge <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --patch <span style="color:#b44">&#39;{&#34;data&#34;:{&#34;ingress.class&#34;:&#34;kourier.ingress.networking.knative.dev&#34;}}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Installs Knative Eventing</span> </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/eventing-crds.yaml </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">wait</span> --for<span style="color:#666">=</span><span style="color:#b8860b">condition</span><span style="color:#666">=</span>Established --all crd </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/eventing-core.yaml </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/in-memory-channel.yaml </span></span><span style="display:flex;"><span>kubectl apply -f https://github.com/knative/eventing/releases/download/v0.22.0/mt-channel-broker.yaml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Creates a default Broker</span> </span></span><span style="display:flex;"><span>kubectl create -f - <span style="color:#b44">&lt;&lt;EOF </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: eventing.knative.dev/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Broker </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: default </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>See also <a href="https://knative.dev/docs/install/any-kubernetes-cluster/">knative.dev install instructions</a> for installing these into your own cluster.</p> <h3 id="falco-falcosidekick-sidekick-ui">Falco/Falcosidekick/sidekick UI</h3> <p>We'll use helm to install <code>Falco</code> ,<code>Falcosidekick</code> and <code>Falcosidekick UI</code>.</p> <p>First, add the falcosecurity <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, will try to keep thing as easy as possible and set configs directly by <code>helm install</code> command:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --create-namespace --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> --set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --set falcosidekick.config.cloudevents.address<span style="color:#666">=</span>http://broker-ingress.knative-eventing.svc.cluster.local/default/default </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Thu Jan <span style="color:#666">14</span> 23:43:46 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code>,<code>Falco Sidekick</code>,<code>Falco Sidekick UI</code> pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-jh75c 1/1 Running <span style="color:#666">0</span> 1d </span></span><span style="display:flex;"><span>falco-falcosidekick-554b8859d5-v9xkg 1/1 Running <span style="color:#666">0</span> 1d </span></span><span style="display:flex;"><span>falco-falcosidekick-554b8859d5-x2zkk 1/1 Running <span style="color:#666">0</span> 1d </span></span><span style="display:flex;"><span>falco-falcosidekick-ui-5d747688f9-g96x5 1/1 Running <span style="color:#666">11</span> 1d </span></span></code></pre></div><p>The arguments <code>--set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true</code> enables Falcosidekick and the UI as the below shows:</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/falcosidekick-ui-colors.png" alt="falcosidekick ui" loading="lazy" /> </p> <p>You can now test it with a typical port-forwarding:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl port-forward svc/falco-falcosidekick-ui -n falco 2802:2802 </span></span></code></pre></div><h3 id="drop-demo">Drop demo</h3> <p>Install the demo with:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl apply -f https://github.com/n3wscott/falco-drop/releases/download/v0.1.0/release.yaml </span></span></code></pre></div><p>This will install a <a href="https://knative.dev/docs/serving/#serving-resources">Knative Service</a> that will consume the Falco events sent by falcosidekick (to the broker), some <a href="https://github.com/n3wscott/falco-drop/blob/v0.1.0/config/rbac.yaml">RBAC</a> to enable that service to delete pods, and a Knative Trigger to register this consumer for events from the <a href="https://knative.dev/docs/eventing/broker/">Knative Eventing Broker</a>.</p> <h4 id="consumer-kservice">Consumer KService</h4> <p>The simplified go code in use is like the following:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">main</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#666">...</span>setup<span style="color:#bbb"> </span>context<span style="color:#666">...</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kc<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kubeclient.<span style="color:#00a000">Get</span>(ctx)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Make a CloudEvents Client.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>c,<span style="color:#bbb"> </span>_<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>cloudevents.<span style="color:#00a000">NewDefaultClient</span>(p)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// StartReceiver is blocking, it will deliver events to the inline function.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>c.<span style="color:#00a000">StartReceiver</span>(ctx,<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">func</span>(event<span style="color:#bbb"> </span>cloudevents.Event)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Filter based on source and type.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>event.<span style="color:#00a000">Source</span>()<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;falco.org&#34;</span><span style="color:#bbb"> </span><span style="color:#666">&amp;&amp;</span><span style="color:#bbb"> </span>event.<span style="color:#00a000">Type</span>()<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;falco.rule.output.v1&#34;</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Extract the Falco event Payload</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>payload<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#666">&amp;</span>FalcoPayload{}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>event.<span style="color:#00a000">DataAs</span>(payload);<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// Only react to &#34;Terminal shell in container&#34; triggered rules.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>payload.Rule<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;Terminal shell in container&#34;</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>kc.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(payload.Fields.Namespace).<span style="color:#00a000">Delete</span>(ctx,<span style="color:#bbb"> </span>payload.Fields.Pod,<span style="color:#bbb"> </span>metav1.DeleteOptions{});<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Println</span>(<span style="color:#b44">&#34;failed to delete pod from event:&#34;</span>,<span style="color:#bbb"> </span>err)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">return</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;[%s] deleted %s from %s because %s\n&#34;</span>,<span style="color:#bbb"> </span>payload.Rule,<span style="color:#bbb"> </span>payload.Fields.Pod,<span style="color:#bbb"> </span>payload.Fields.Namespace,<span style="color:#bbb"> </span>payload.Output)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>The full implementation can be found in the <a href="https://github.com/n3wscott/falco-drop/blob/main/cmd/drop/main.go">falco-drop</a> repo.</p> <blockquote> <p>Pro-tip: if you are developing in Go for Kubernetes, take a look at <a href="https://github.com/google/ko">ko</a>. <code>ko</code> enables containerizing go applications without needing a Dockerfile.</p> </blockquote> <p>Even though the Trigger only delivers events that match the Trigger filter, it is a good idea to validate the event that the function is receiving, which is why we are validating again in the above code (trust, but verify).</p> <h4 id="eventing-triggers">Eventing Triggers</h4> <p>The Trigger configures the Broker for a subscriber to be invoked when the Broker ingresses an event that matches the <code>spec.filter</code> settings.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>eventing.knative.dev/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>Trigger<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>drop<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">namespace</span>:<span style="color:#bbb"> </span>default<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">spec</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">broker</span>:<span style="color:#bbb"> </span>default<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">filter</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">attributes</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">source</span>:<span style="color:#bbb"> </span>falco.org<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">type</span>:<span style="color:#bbb"> </span>falco.rule.output.v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">subscriber</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">ref</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>serving.knative.dev/v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>Service<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>drop<span style="color:#bbb"> </span></span></span></code></pre></div><blockquote> <p>Note: the <code>kind: Service, name: drop</code> resource is the Knative Service we created above.</p> </blockquote> <p>Here we are requesting that the broker only deliver events that have the attributes (CloudEvent attributes) of <code>source=falco.org</code> and <code>type=falco.rule.output.v1</code>. These events are delivered to our subscriber KService.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/img/knative-drop-graph.png" alt="Eventing Topology" loading="lazy" /> </p> <p>Want to learn how that <code>spec.subscriber.ref</code> works?! It is <a href="https://en.wikipedia.org/wiki/Duck_typing">duck typing</a> <a href="https://docs.google.com/document/d/1Bud636dMcAQjXe6xfOMBzT0YYqOj1rx3EELxrq2YQv8/edit#heading=h.7o4a6nr4d1sv">and</a> <a href="https://docs.google.com/document/d/e/2PACX-1vQeYowntWI4U8yN19Esf0mK8HiY0Cf1XhbbfzLpnLzGcWqhWHwpqNFH7FqDQGTIAHqz4iFP7dPIBKvG/pub">you</a> <a href="https://github.com/knative/pkg/tree/master/apis/duck#duck-types">can</a> <a href="https://www.youtube.com/watch?v=Mb8c5SP-Sw0">learn</a> <a href="https://www.youtube.com/watch?v=kldVg63Utuw">more</a>, but tl;dr: it is basically doing this (except fancy),</p> <pre tabindex="0"><code>kubectl get ksvc drop -o jsonpath=&#39;{.status.address.url}&#39; </code></pre><h3 id="test">Test</h3> <p>First we will create a pod that we can execute code on later:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span></code></pre></div><p>You should see two pods runing, <code>drop-00001-*</code> and a <code>alpine</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>β•―Β°β–‘Β°<span style="color:#666">)</span>β•―οΈ΅ kubectl get pods </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>drop-00001-deployment-6b4c5d8bb-m8q4z 2/2 Running <span style="color:#666">0</span> 4m9s </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 39s </span></span></code></pre></div><p>Next, we will execute a command in that <code>alpine</code> pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span></code></pre></div><p>The <code>alpine</code> pod will be terminated by the drop function once the events are processed:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>β•―Β°β–‘Β°<span style="color:#666">)</span>β•―οΈ΅ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span><span style="display:flex;"><span><span style="color:#666">(</span>β•―Β°β–‘Β°<span style="color:#666">)</span>β•―οΈ΅ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> 19:29:29 up <span style="color:#666">17</span> min, load average: 0.90, 0.85, 0.59 </span></span><span style="display:flex;"><span><span style="color:#666">(</span>β•―Β°β–‘Β°<span style="color:#666">)</span>β•―οΈ΅ kubectl get pods </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>drop-00001-deployment-6b4c5d8bb-m8q4z 2/2 Running <span style="color:#666">0</span> 10m </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 5s </span></span></code></pre></div><p>Or simply start a hanging shell:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl run alpine-alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine-hang --namespace default -- sh </span></span></code></pre></div><p>And the shell will be closed:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">(</span>β•―Β°β–‘Β°<span style="color:#666">)</span>β•―οΈ΅ kubectl <span style="color:#a2f">exec</span> -i --tty alpine-hang --namespace default -- sh </span></span><span style="display:flex;"><span>/ <span style="color:#080;font-style:italic"># command terminated with exit code 137</span> </span></span></code></pre></div><p>The event that the drop function is reacting to is a CloudEvent that looks something like this:</p> <pre tabindex="0"><code>Context Attributes, specversion: 1.0 type: falco.rule.output.v1 source: falco.org id: f7628198-3822-4c98-ac3f-71770e272a16 time: 2021-01-11T23:46:19.82302759Z datacontenttype: application/json Extensions, foo: bar priority: Notice rule: Terminal shell in container Data, { &#34;output&#34;: &#34;23:46:19.823027590: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=f29b261f8831 shell=bash parent=runc cmdline=bash -il terminal=34816 container_id=f29b261f8831 image=mysql) k8s.ns=default k8s.pod=mysql-db-7d59548d75-wh44s container=f29b261f8831&#34;, &#34;priority&#34;: &#34;Notice&#34;, &#34;rule&#34;: &#34;Terminal shell in container&#34;, &#34;time&#34;: &#34;2021-01-11T23:46:19.82302759Z&#34;, &#34;output_fields&#34;: { &#34;container.id&#34;: &#34;f29b261f8831&#34;, &#34;container.image.repository&#34;: &#34;mysql&#34;, &#34;evt.time&#34;: 1610408779823027700, &#34;k8s.ns.name&#34;: &#34;default&#34;, &#34;k8s.pod.name&#34;: &#34;alpine&#34;, &#34;proc.cmdline&#34;: &#34;bash -il&#34;, &#34;proc.name&#34;: &#34;bash&#34;, &#34;proc.pname&#34;: &#34;runc&#34;, &#34;proc.tty&#34;: 34816, &#34;user.loginuid&#34;: -1, &#34;user.name&#34;: &#34;root&#34; } } </code></pre><p>The KService consumes this event and simply deletes the pod. You can also see this activity in the <a href="http://localhost:2802/ui/#/">falcosidekick UI</a>.</p> <h2 id="conclusion">Conclusion</h2> <p>Thinking Cloud Native is a mindset of picking the right tool for the job and assembling these tools into something greater than their parts. Falco is a great tool for detection and alerts, it gets really interesting once we can react to those events in ways we never imagined, because integrators are creative and innovative.</p> <p>What will you build?</p> <h3 id="knative">Knative</h3> <p>If you would like to find out more about Knative:</p> <ul> <li>Get started in <a href="http://knative.dev/">knative.dev</a>.</li> <li>Check out the <a href="https://github.com/knative">Knative Project in GitHub</a>.</li> <li>Meet the maintainers on the <a href="https://slack.knative.dev/">Knative Slack</a>.</li> <li>Follow <a href="https://twitter.com/KnativeProject">@KnativeProject on Twitter</a>.</li> </ul> <h3 id="falco">Falco</h3> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>Blog: Kubernetes Response Engine, Part 2: Falcosidekick + OpenFaashttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/Sun, 11 Apr 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/">Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>We recently talked about a concept called <em>&quot;Kubernetes Response Engine&quot;</em>, and we achieved this by using <code>Falco</code></p> <ul> <li><code>Falcosidekick</code> + <code>Kubeless</code>. But as you might guess, <code>Falcosidekick</code> project is evolving day after day, which means new outputs are added. With the release <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.22.0"><code>2.22.0</code></a>, we are proud to support <a href="https://www.openfaas.com"><code>OpenFaaS</code></a> as a new output for <em>Falcosidekick</em>. This allows us to achieve the same concept, <em>&quot;Kubernetes Response Engine&quot;</em>, but this time by using <em>&quot;OpenFaaS&quot;</em> instead of <em>&quot;Kubeless&quot;</em>.</li> </ul> <p>In this blog post, we will explain the basic concepts for integrating your own Response Engine into K8S with the stack <code>Falco</code> + <code>Falcosidekick</code> + <code>OpenFaaS</code>.</p> <h2 id="prerequisites">Prerequisites</h2> <p>We need tools with the following minimum versions to achieve this demo:</p> <ul> <li>Minikube v1.19.0</li> <li>Helm v3.5.3</li> <li>kubectl v1.21.0</li> <li>arkade v0.7.13</li> <li>faas-cli v0.13.9</li> </ul> <h3 id="provision-local-kubernetes-cluster">Provision local Kubernetes Cluster</h3> <p>There are various ways to provision a local Kubernetes cluster such as, KinD, k3s, k0s, Minikube etc. We are going to use Minikube in this walkthrough.</p> <p>Let's get provisioned a local Kubernetes cluster:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ minikube start --cpus <span style="color:#666">3</span> --memory <span style="color:#666">8192</span> --vm-driver virtualbox </span></span><span style="display:flex;"><span>πŸ˜„ minikube v1.19.0 on Darwin 10.15.7 </span></span><span style="display:flex;"><span>✨ Using the virtualbox driver based on user configuration </span></span><span style="display:flex;"><span>πŸ‘ Starting control plane node minikube in cluster minikube </span></span><span style="display:flex;"><span>πŸ”₯ Creating virtualbox VM <span style="color:#666">(</span><span style="color:#b8860b">CPUs</span><span style="color:#666">=</span>3, <span style="color:#b8860b">Memory</span><span style="color:#666">=</span>8192MB, <span style="color:#b8860b">Disk</span><span style="color:#666">=</span>20000MB<span style="color:#666">)</span> ... </span></span><span style="display:flex;"><span>🐳 Preparing Kubernetes v1.20.2 on Docker 20.10.4 ... </span></span><span style="display:flex;"><span> β–ͺ Generating certificates and keys ... </span></span><span style="display:flex;"><span> β–ͺ Booting up control plane ... </span></span><span style="display:flex;"><span> β–ͺ Configuring RBAC rules ... </span></span><span style="display:flex;"><span>πŸ”Ž Verifying Kubernetes components... </span></span><span style="display:flex;"><span> β–ͺ Using image gcr.io/k8s-minikube/storage-provisioner:v5 </span></span><span style="display:flex;"><span>🌟 Enabled addons: storage-provisioner, default-storageclass </span></span><span style="display:flex;"><span>πŸ„ Done! kubectl is now configured to use <span style="color:#b44">&#34;minikube&#34;</span> cluster and <span style="color:#b44">&#34;default&#34;</span> namespace by default </span></span></code></pre></div><h2 id="install-openfaas">Install OpenFaaS</h2> <p>OpenFaaS can be deployed into a variety of container orchestrators like Kubernetes, OpenShift, Docker Swarm or into a single host with faasd.</p> <p>Follow the official documentation for <a href="https://docs.openfaas.com/deployment/kubernetes/">deploying OpenFaaS to Kubernetes</a>.</p> <p>The fastest option is the tool called <a href="https://github.com/alexellis/arkade">arkade</a> to deploy OpenFaaS:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ arkade install openfaas </span></span><span style="display:flex;"><span>Using Kubeconfig: /Users/batuhan.apaydin/.kube/config </span></span><span style="display:flex;"><span>Client: x86_64, Darwin </span></span><span style="display:flex;"><span>2021/04/10 21:39:29 User dir established as: /Users/batuhan.apaydin/.arkade/ </span></span><span style="display:flex;"><span><span style="color:#b44">&#34;openfaas&#34;</span> already exists with the same configuration, skipping </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Hang tight <span style="color:#a2f;font-weight:bold">while</span> we grab the latest from your chart repositories... </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;falcosecurity&#34;</span> chart repository </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;openfaas&#34;</span> chart repository </span></span><span style="display:flex;"><span>Update Complete. ⎈Happy Helming!⎈ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>VALUES values.yaml </span></span><span style="display:flex;"><span>Command: /Users/batuhan.apaydin/.arkade/bin/helm <span style="color:#666">[</span>upgrade --install openfaas openfaas/openfaas --namespace openfaas --values /var/folders/pf/6h9t0mnd4d342ncgpjq_3zl80000gp/T/charts/openfaas/values.yaml --set queueWorker.replicas<span style="color:#666">=</span><span style="color:#666">1</span> --set queueWorker.maxInflight<span style="color:#666">=</span><span style="color:#666">1</span> --set <span style="color:#b8860b">clusterRole</span><span style="color:#666">=</span><span style="color:#a2f">false</span> --set operator.create<span style="color:#666">=</span><span style="color:#a2f">false</span> --set faasnetes.imagePullPolicy<span style="color:#666">=</span>Always --set basicAuthPlugin.replicas<span style="color:#666">=</span><span style="color:#666">1</span> --set gateway.replicas<span style="color:#666">=</span><span style="color:#666">1</span> --set gateway.directFunctions<span style="color:#666">=</span><span style="color:#a2f">false</span> --set <span style="color:#b8860b">openfaasImagePullPolicy</span><span style="color:#666">=</span>IfNotPresent --set ingressOperator.create<span style="color:#666">=</span><span style="color:#a2f">false</span> --set <span style="color:#b8860b">basic_auth</span><span style="color:#666">=</span><span style="color:#a2f">true</span> --set <span style="color:#b8860b">serviceType</span><span style="color:#666">=</span>NodePort<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>Release <span style="color:#b44">&#34;openfaas&#34;</span> does not exist. Installing it now. </span></span><span style="display:flex;"><span>NAME: openfaas </span></span><span style="display:flex;"><span>LAST DEPLOYED: Sat Apr <span style="color:#666">10</span> 21:39:37 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: openfaas </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>To verify that openfaas has started, run: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> kubectl -n openfaas get deployments -l <span style="color:#b44">&#34;release=openfaas, app=openfaas&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#666">=======================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#666">=</span> OpenFaaS has been installed. <span style="color:#666">=</span> </span></span><span style="display:flex;"><span><span style="color:#666">=======================================================================</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Get the faas-cli</span> </span></span><span style="display:flex;"><span>curl -SLsf https://cli.openfaas.com | sudo sh </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Forward the gateway to your machine</span> </span></span><span style="display:flex;"><span>kubectl rollout status -n openfaas deploy/gateway </span></span><span style="display:flex;"><span>kubectl port-forward -n openfaas svc/gateway 8080:8080 &amp; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># If basic auth is enabled, you can now log into your gateway:</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">PASSWORD</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get secret -n openfaas basic-auth -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.data.basic-auth-password}&#34;</span> | base64 --decode; <span style="color:#a2f">echo</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#a2f">echo</span> -n <span style="color:#b8860b">$PASSWORD</span> | faas-cli login --username admin --password-stdin </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>faas-cli store deploy figlet </span></span><span style="display:flex;"><span>faas-cli list </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># For Raspberry Pi</span> </span></span><span style="display:flex;"><span>faas-cli store list <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --platform armhf </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>faas-cli store deploy figlet <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --platform armhf </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Find out more at:</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># https://github.com/openfaas/faas</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Thanks <span style="color:#a2f;font-weight:bold">for</span> using arkade! </span></span></code></pre></div><p>Check if everything is working before moving onto the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace openfaas </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alertmanager-74f9b48464-7gvrj 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>basic-auth-plugin-54bbd886f5-fclgn 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>gateway-6f8f5d5c87-tbxns 2/2 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>nats-695bf7587-hcbc2 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>prometheus-577c65f58c-4nvm7 1/1 Running <span style="color:#666">0</span> 2m13s </span></span><span style="display:flex;"><span>queue-worker-b45b85966-g7kpt 1/1 Running <span style="color:#666">0</span> 2m13s </span></span></code></pre></div><p>Now, it is time to deploy our function. The function we are going to deploy basically receives events for an infected pod from the <em>Falcosidekick</em> and deletes it immediately. Before deploying the function we need some permissions to delete Pod. We create a <code>ServiceAccount</code> with right to delete a Pod in any namespace, and we'll associate it to our function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: openfaas-fn </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pods&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: openfaas-fn </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><p>Now, we are ready to deploy our <em>falco-pod-delete</em> function, log in into <em>OpenFaaS Gateway</em> first:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl port-forward -n openfaas svc/gateway 8080:8080 &amp; </span></span><span style="display:flex;"><span>$ <span style="color:#b8860b">PASSWORD</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get secret -n openfaas basic-auth -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.data.basic-auth-password}&#34;</span> | base64 --decode; <span style="color:#a2f">echo</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">$echo</span> -n <span style="color:#b8860b">$PASSWORD</span> | faas-cli login --username admin --password-stdin </span></span><span style="display:flex;"><span>Calling the OpenFaaS server to validate the credentials... </span></span><span style="display:flex;"><span>credentials saved <span style="color:#a2f;font-weight:bold">for</span> admin http://127.0.0.1:8080 </span></span></code></pre></div><h2 id="install-falco-falcosidekick">Install Falco + Falcosidekick</h2> <p>Firstly, we'll create the namespace that will host both <code>Falco</code> and <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl create namespace falco </span></span></code></pre></div><p>We add the <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span><span style="color:#b44">&#34;falcosecurity&#34;</span> has been added to your repositories </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>Hang tight <span style="color:#a2f;font-weight:bold">while</span> we grab the latest from your chart repositories... </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;falcosecurity&#34;</span> chart repository </span></span><span style="display:flex;"><span>...Successfully got an update from the <span style="color:#b44">&#34;openfaas&#34;</span> chart repository </span></span><span style="display:flex;"><span>Update Complete. ⎈Happy Helming!⎈ </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, will try to keep thing as easy as possible and set configs directly by passing arguments to <code>helm install</code> command line:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm upgrade --install falco falcosecurity/falco --namespace falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.config.openfaas.functionname<span style="color:#666">=</span><span style="color:#b44">&#34;falco-pod-delete&#34;</span> </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>Release <span style="color:#b44">&#34;falco&#34;</span> does not exist. Installing it now. </span></span><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Tue Apr <span style="color:#666">13</span> 10:49:49 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code> and <code>Falcosidekick</code>pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-falcosidekick-7779579477-mwsb4 1/1 Running <span style="color:#666">0</span> 67s </span></span><span style="display:flex;"><span>falco-falcosidekick-7779579477-n5v89 1/1 Running <span style="color:#666">0</span> 67s </span></span><span style="display:flex;"><span>falco-p97rw 1/1 Running <span style="color:#666">0</span> 67s </span></span></code></pre></div><p>The argument <code>falcosidekick.enabled=true</code> sets the following settings in <em>Falco</em> for you:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>--set falco.jsonOutput<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falco.httpOutput.url<span style="color:#666">=</span>http://falco-falcosidekick:2801 </span></span></code></pre></div><p>The arguments <code>--set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falco-falcosidekick:2801</code> are there to configure the format of events and the URL where <code>Falco</code> will send them. As <code>Falco</code> and <code>Falcosidekick</code> will be in the same namespace, it can directly use the name of the service (<code>falco-falcosidekick</code>) above <code>Falcosidekick</code> pods.</p> <p>We check the logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falco-falcosidekick -n falco </span></span><span style="display:flex;"><span>Found <span style="color:#666">2</span> pods, using pod/falcosidekick-5c696d7fd8-9bnnj </span></span><span style="display:flex;"><span>2021/04/10 19:21:55 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : <span style="color:#666">[</span>OpenFaaS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>2021/04/10 19:21:55 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on :2801 </span></span></code></pre></div><p><code>OpenFaaS</code> is displayed as enabled output, everything is good πŸ‘.</p> <h2 id="install-our-openfaas-function">Install our OpenFaaS function</h2> <p>Our really basic function will receive events from <code>Falco</code> thanks to <code>Falcosidekick</code>, check if the triggered rule is * <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">Terminal Shell in container*</a> , extract the <em>namespace</em> and <em>pod name</em> from the fields of events and delete the according pod:</p> <p>Basically, the process is:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> +----------+ +---------------+ +----------+ </span></span><span style="display:flex;"><span> | Falco +-----------------&gt; Falcosidekick +--------------------&gt; OpenFaaS | </span></span><span style="display:flex;"><span> +----^-----+ sends event +---------------+ triggers +-----+----+ </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span>detects a shell | | </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span> +----+-------+ deletes | </span></span><span style="display:flex;"><span> | Pwned Pod &lt;----------------------------------------------------------+ </span></span><span style="display:flex;"><span> +------------+ </span></span></code></pre></div><p>Let's create the function and deploy it:</p> <pre tabindex="0"><code>$ faas-cli template store pull golang-middleware Fetch templates from repository: https://github.com/openfaas/golang-http-template at 2021/04/10 21:56:34 Attempting to expand templates from https://github.com/openfaas/golang-http-template 2021/04/10 21:56:35 Fetched 2 template(s) : [golang-http golang-middleware] from https://github.com/openfaas/golang-http-template $ tree -L 2 . . └── template β”œβ”€β”€ golang-http └── golang-middleware # Don&#39;t forget to set your docker id in the prefix section, mine is devopps. $ faas-cli new falco-pod-delete --lang golang-middleware --prefix devopps faas-cli new falco-pod-delete --lang golang-middleware --prefix devopps Folder: falco-pod-delete created. ___ _____ ____ / _ \ _ __ ___ _ __ | ___|_ _ __ _/ ___| | | | | &#39;_ \ / _ \ &#39;_ \| |_ / _` |/ _` \___ \ | |_| | |_) | __/ | | | _| (_| | (_| |___) | \___/| .__/ \___|_| |_|_| \__,_|\__,_|____/ |_| Function created in folder: falco-pod-delete Stack file written: falco-pod-delete.yml Notes: You have created a new function which uses Golang 1.13. To include third-party dependencies, use Go modules and use &#34;--build-arg GO111MODULE=on&#34; with faas-cli build or configure this via your stack.yml file. See more: https://docs.openfaas.com/cli/templates/ For detailed examples: https://github.com/openfaas-incubator/golang-http-template $ tree -L 2 . . β”œβ”€β”€ falco-pod-delete β”‚ └── handler.go β”œβ”€β”€ falco-pod-delete.yml └── template β”œβ”€β”€ golang-http └── golang-middleware </code></pre><p>First, replace the <em>falco-pod-delete.yml</em> with the following content:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">version</span>:<span style="color:#bbb"> </span><span style="color:#666">1.0</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">provider</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">name</span>:<span style="color:#bbb"> </span>openfaas<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">gateway</span>:<span style="color:#bbb"> </span>http://127.0.0.1:8080<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">functions</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">falco-pod-delete</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">lang</span>:<span style="color:#bbb"> </span>golang-middleware<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">handler</span>:<span style="color:#bbb"> </span>./falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">image</span>:<span style="color:#bbb"> </span>devopps/falco-pod-delete:latest<span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># be careful this line, it should be your docker id.</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">annotations</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">com.openfaas.serviceaccount</span>:<span style="color:#bbb"> </span>falco-pod-delete<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">build_args</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">GO111MODULE</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">on</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>Once you have edited it, let's continue with the code, create a <code>go.mod</code>.</p> <pre tabindex="0"><code>$ cd falco-pod-delete $ go mod init falco-pod-delete go: creating new go.mod: module falco-pod-delete go: to add module requirements and sums: go mod tidy </code></pre><p>Then, replace the <code>handler.go</code> with the following content:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-golang" data-lang="golang"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">package</span><span style="color:#bbb"> </span>function<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">import</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;context&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;encoding/json&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;io/ioutil&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;log&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;net/http&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;time&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>metaV1<span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b44">&#34;k8s.io/client-go/rest&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>kubeClient<span style="color:#bbb"> </span><span style="color:#666">*</span>kubernetes.Clientset<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">init</span>()<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the in-cluster config</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>config,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>rest.<span style="color:#00a000">InClusterConfig</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">// creates the clientset</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient,<span style="color:#bbb"> </span>err<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>kubernetes.<span style="color:#00a000">NewForConfig</span>(config)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>err<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f">panic</span>(err.<span style="color:#00a000">Error</span>())<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">type</span><span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Output<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Priority<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;priority&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Rule<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;rule&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>Time<span style="color:#bbb"> </span>time.Time<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>OutputFields<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">struct</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerID<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.id&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageRepository<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.repository&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ContainerImageTag<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">interface</span>{}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;container.image.tag&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>EvtTime<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">int64</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;evt.time&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>FdName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;fd.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SNsName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.ns.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>K8SPodName<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;k8s.pod.name&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>ProcCmdline<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">string</span><span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;proc.cmdline&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span><span style="color:#b44">`json:&#34;output_fields&#34;`</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>CriticalNamespaces<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span>[]<span style="color:#0b0;font-weight:bold">string</span>{<span style="color:#b44">&#34;kube-system&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-public&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;kube-node-lease&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;falco&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;openfaas&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;openfaas-fn&#34;</span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">func</span><span style="color:#bbb"> </span><span style="color:#00a000">Handle</span>(w<span style="color:#bbb"> </span>http.ResponseWriter,<span style="color:#bbb"> </span>r<span style="color:#bbb"> </span><span style="color:#666">*</span>http.Request)<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>alert<span style="color:#bbb"> </span>Alert<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>r.Body<span style="color:#bbb"> </span><span style="color:#666">!=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">nil</span><span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">defer</span><span style="color:#bbb"> </span>r.Body.<span style="color:#00a000">Close</span>()<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>body,<span style="color:#bbb"> </span>_<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>ioutil.<span style="color:#00a000">ReadAll</span>(r.Body)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>json.<span style="color:#00a000">Unmarshal</span>(body,<span style="color:#bbb"> </span><span style="color:#666">&amp;</span>alert)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>podName<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SPodName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span>alert.OutputFields.K8SNsName<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">var</span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span><span style="color:#0b0;font-weight:bold">bool</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">for</span><span style="color:#bbb"> </span>_<span style="color:#bbb"> </span>,<span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">:=</span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">range</span><span style="color:#bbb"> </span>CriticalNamespaces<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>ns<span style="color:#bbb"> </span><span style="color:#666">==</span><span style="color:#bbb"> </span>namespace<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>critical<span style="color:#bbb"> </span>=<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">break</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">if</span><span style="color:#bbb"> </span>!critical<span style="color:#bbb"> </span>{<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>log.<span style="color:#00a000">Printf</span>(<span style="color:#b44">&#34;Deleting pod %s from namespace %s&#34;</span>,<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>namespace)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>kubeClient.<span style="color:#00a000">CoreV1</span>().<span style="color:#00a000">Pods</span>(namespace).<span style="color:#00a000">Delete</span>(context.<span style="color:#00a000">Background</span>(),<span style="color:#bbb"> </span>podName,<span style="color:#bbb"> </span>metaV1.DeleteOptions{})<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>}<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">WriteHeader</span>(http.StatusOK)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>w.<span style="color:#00a000">Write</span>([]<span style="color:#a2f">byte</span>(<span style="color:#b44">&#34;OK&#34;</span>))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>}<span style="color:#bbb"> </span></span></span></code></pre></div><p>After that, update your <em>Go Modules</em> by doing <code>go mod tidy</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ go mod tidy </span></span><span style="display:flex;"><span>go: finding module <span style="color:#a2f;font-weight:bold">for</span> package k8s.io/client-go/rest </span></span><span style="display:flex;"><span>go: finding module <span style="color:#a2f;font-weight:bold">for</span> package k8s.io/apimachinery/pkg/apis/meta/v1 </span></span><span style="display:flex;"><span>go: finding module <span style="color:#a2f;font-weight:bold">for</span> package k8s.io/client-go/kubernetes </span></span><span style="display:flex;"><span>go: downloading k8s.io/client-go v0.21.0 </span></span><span style="display:flex;"><span>go: downloading k8s.io/apimachinery v0.21.0 </span></span><span style="display:flex;"><span>go: found k8s.io/apimachinery/pkg/apis/meta/v1 in k8s.io/apimachinery v0.21.0 </span></span><span style="display:flex;"><span>go: found k8s.io/client-go/kubernetes in k8s.io/client-go v0.21.0 </span></span><span style="display:flex;"><span>go: found k8s.io/client-go/rest in k8s.io/client-go v0.21.0 </span></span><span style="display:flex;"><span>go: downloading k8s.io/api v0.21.0 </span></span><span style="display:flex;"><span>go: downloading golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 </span></span><span style="display:flex;"><span>go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.1.0 </span></span><span style="display:flex;"><span>go: downloading golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d </span></span></code></pre></div><p>Now, you should be able to build, push and deploy your function with <code>faas-cli</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ <span style="color:#a2f">cd</span> .. </span></span><span style="display:flex;"><span>$ faas-cli up -f falco-pod-delete.yml </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &gt; Building falco-pod-delete. </span></span><span style="display:flex;"><span>Clearing temporary build folder: ./build/falco-pod-delete/ </span></span><span style="display:flex;"><span>Preparing: ./falco-pod-delete/ build/falco-pod-delete/function </span></span><span style="display:flex;"><span>Building: devopps/falco-pod-delete:latest with golang-middleware template. Please wait.. </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 [internal] load build definition from Dockerfile</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 sha256:8cd765381aabb90df3bcfbc06f4d175af37d66b85125d463585abc1fc878b94b</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 transferring dockerfile: 1.81kB done</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic">#1 DONE 0.0s</span> </span></span><span style="display:flex;"><span>... </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Use <span style="color:#b44">&#39;docker scan&#39;</span> to run Snyk tests against images to find vulnerabilities and learn how to fix them </span></span><span style="display:flex;"><span>Image: devopps/falco-pod-delete:latest built. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &lt; Building falco-pod-delete <span style="color:#a2f;font-weight:bold">done</span> in 1.31s. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> Worker <span style="color:#a2f;font-weight:bold">done</span>. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Total build time: 1.31s </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &gt; Pushing falco-pod-delete <span style="color:#666">[</span>devopps/falco-pod-delete:latest<span style="color:#666">]</span>. </span></span><span style="display:flex;"><span>The push refers to repository <span style="color:#666">[</span>docker.io/devopps/falco-pod-delete<span style="color:#666">]</span> </span></span><span style="display:flex;"><span>8096edd09fbc: Layer already exists </span></span><span style="display:flex;"><span>464d68aca3d9: Layer already exists </span></span><span style="display:flex;"><span>e4766ea46ad0: Layer already exists </span></span><span style="display:flex;"><span>5f70bf18a086: Layer already exists </span></span><span style="display:flex;"><span>a823d50a5b72: Layer already exists </span></span><span style="display:flex;"><span>060f21486264: Layer already exists </span></span><span style="display:flex;"><span>8ea3b23f387b: Layer already exists </span></span><span style="display:flex;"><span>latest: digest: sha256:f94abba203232b97cb2873ef5d60eec31b52d492f3d3ee106d6a9877bf131d95 size: <span style="color:#666">1782</span> </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> &lt; Pushing falco-pod-delete <span style="color:#666">[</span>devopps/falco-pod-delete:latest<span style="color:#666">]</span> <span style="color:#a2f;font-weight:bold">done</span>. </span></span><span style="display:flex;"><span><span style="color:#666">[</span>0<span style="color:#666">]</span> Worker <span style="color:#a2f;font-weight:bold">done</span>. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Deploying: falco-pod-delete. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Deployed. <span style="color:#666">202</span> Accepted. </span></span><span style="display:flex;"><span>URL: http://127.0.0.1:8080/function/falco-pod-delete </span></span></code></pre></div><p>Check if everything is working before moving to the next step:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace openfaas-fn </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-pod-delete-7dc9f5fbb8-gbfk7 1/1 Running <span style="color:#666">0</span> 27s </span></span></code></pre></div><h2 id="test-our-function">Test our function</h2> <p>We start by creating a dumb pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl run alpine --namespace default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span><span style="display:flex;"><span>pod/alpine created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>AME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 11s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl <span style="color:#a2f">exec</span> -i --tty alpine --namespace default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>19:27:21 up <span style="color:#666">50</span> min, load average: 0.11, 0.12, 0.11 </span></span></code></pre></div><p>As expected we got the result of our command, but, if we get the status of the pod we retrieve:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods --namespace default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>πŸ’₯ <strong>It has been terminated</strong> πŸ’₯</p> <p>We can now check the logs of components.</p> <p>For <code>Falco</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs daemonset/falco --namespace falco </span></span><span style="display:flex;"><span>.. </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:27:21.002873265: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=97c9868ea832 shell=sh parent=runc cmdline=sh -c uptime terminal=34816 container_id=97c9868ea832 image=alpine) k8s.ns=default k8s.pod=alpine container=97c9868ea832&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-04-10T19:27:21.002873265Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;97c9868ea832&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1618082841002873265,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh -c uptime&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:<span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span>:34816,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;19:27:21.038853452: Notice Unexpected connection to K8s API Server from container (command=handler k8s.ns=openfaas-fn k8s.pod=falco-pod-delete-7dc9f5fbb8-gbfk7 container=12fc4de5ccc3 image=devopps/falco-pod-delete:latest connection=172.17.0.9:43812-&gt;10.96.0.1:443) k8s.ns=openfaas-fn k8s.pod=falco-pod-delete-7dc9f5fbb8-gbfk7 container=12fc4de5ccc3&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Contact K8S API Server From Container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-04-10T19:27:21.038853452Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;12fc4de5ccc3&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:<span style="color:#b44">&#34;devopps/falco-pod-delete&#34;</span>,<span style="color:#b44">&#34;container.image.tag&#34;</span>:<span style="color:#b44">&#34;latest&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span>:1618082841038853452,<span style="color:#b44">&#34;fd.name&#34;</span>:<span style="color:#b44">&#34;172.17.0.9:43812-&gt;10.96.0.1:443&#34;</span>,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;openfaas-fn&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;falco-pod-delete-7dc9f5fbb8-gbfk7&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;handler&#34;</span><span style="color:#666">}}</span> </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs deployment/falcosidekick --namespace falco </span></span><span style="display:flex;"><span>2021/04/10 19:27:21 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : OpenFaas - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/04/10 19:27:21 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : OpenFaas - Function Response : OK </span></span><span style="display:flex;"><span>2021/04/10 19:27:21 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : OpenFaas - Call Function <span style="color:#b44">&#34;falco-pod-delete.openfaas-fn&#34;</span> OK </span></span><span style="display:flex;"><span>.. </span></span></code></pre></div><p>For <em>falco-delete-pod</em> function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ faas-cli logs -f --name falco-pod-delete </span></span><span style="display:flex;"><span>2021/04/10 19:34:03 Deleting pod alpine from namespace default </span></span><span style="display:flex;"><span>2021/04/10 19:34:03 POST / - <span style="color:#666">200</span> OK - ContentLength: <span style="color:#666">2</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>With this really simple example, we only scratched the surface of possibilities, so don't hesitate to share with us on Slack (<a href="https://kubernetes.slack.com">https://kubernetes.slack.com</a> #falco) your comments, ideas and successes. You're also always welcome to <a href="https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md">contribute</a>.</p>Blog: Kubernetes Response Engine, Part 1: Falcosidekick + Kubelesshttps://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/Fri, 15 Jan 2021 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-1-kubeless/ <blockquote> <p><em>This blog post is part of a series of articles about how to create a <code>Kubernetes</code> response engine with <code>Falco</code>, <code>Falcosidekick</code> and a <code>FaaS</code>.</em></p> <p>See other posts:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-2-openfaas/">Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-3-knative/">Kubernetes Response Engine, Part 3 : Falcosidekick + Knative</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-4-tekton/">Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-5-argo/">Kubernetes Response Engine, Part 5 : Falcosidekick + Argo</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-6-cloud-run/">Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falcosidekick-response-engine-part-7-cloud-functions/">Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions</a></li> </ul> </blockquote> <hr> <p>Two years ago, we presented to you a <code>Kubernetes Response Engine</code> based on <code>Falco</code>. The idea was to trigger <a href="https://kubeless.io"><code>Kubeless</code></a> serverless functions for deleting infected pod, start a <code>Sysdig</code> capture or forward the <code>events</code> to <code>GCP PubSub</code>. See the <a href="https://github.com/falcosecurity/kubernetes-response-engine">README</a>.</p> <p>To avoid maintaining this custom stack, we worked hard with the community to integrate all components into <a href="https://github.com/falcosecurity/falcosidekick"><code>Falcosidekick</code></a> and to improve the UX. With the last release <a href="https://github.com/falcosecurity/falcosidekick/releases/tag/2.20.0"><code>2.20.0</code></a> we have the finale piece, the integration of <code>Kubeless</code> as native output. More details in <a href="https://falco.org/blog/falcosidekick-2020/">our retrospective of 2020</a>.</p> <p>In this blog post, we will explain the basic concepts for integrating your own Response Engine into K8S with the stack <code>Falco</code> + <code>Falcosidekick</code> + <code>Kubeless</code>.</p> <h2 id="requirements">Requirements</h2> <p>We require a <code>kubernetes</code> cluster running at least <code>1.17</code> release and <a href="https://helm.sh"><code>helm</code></a> and <code>kubectl</code> installed.</p> <h2 id="install-kubeless">Install Kubeless</h2> <p>Follow the official <a href="https://kubeless.io/docs/quick-start/">quick start</a> page:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f">export</span> <span style="color:#b8860b">RELEASE</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>curl -s https://api.github.com/repos/kubeless/kubeless/releases/latest | grep tag_name | cut -d <span style="color:#b44">&#39;&#34;&#39;</span> -f 4<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>kubectl create ns kubeless </span></span><span style="display:flex;"><span>kubectl create -f https://github.com/kubeless/kubeless/releases/download/<span style="color:#b8860b">$RELEASE</span>/kubeless-<span style="color:#b8860b">$RELEASE</span>.yaml </span></span></code></pre></div><p>After a few seconds, we can check that the controller is up and running:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n kubeless </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>kubeless-controller-manager-99459cb67-tb99d 3/3 Running <span style="color:#666">3</span> 2m34s </span></span></code></pre></div><h2 id="install-falco">Install Falco</h2> <p>Firstly, we'll create the namespace that will use both <code>Falco</code> and <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create ns falco </span></span></code></pre></div><p>Add the <code>helm</code> repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span></code></pre></div><p>In a real project, you should get the whole chart with <code>helm pull falcosecurity/falco --untar</code> and then configure the <code>values.yaml</code>. For this tutorial, we will try to keep things as easy as possible and set configs directly by <code>helm install</code> command:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falco falcosecurity/falco --set falco.jsonOutput<span style="color:#666">=</span><span style="color:#a2f">true</span> --set falco.httpOutput.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> --set falco.httpOutput.url<span style="color:#666">=</span>http://falcosidekick:2801 -n falco </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME: falco </span></span><span style="display:flex;"><span>LAST DEPLOYED: Thu Jan <span style="color:#666">14</span> 23:43:46 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>TEST SUITE: None </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>Falco agents are spinning up on each node in your cluster. After a few </span></span><span style="display:flex;"><span>seconds, they are going to start monitoring your containers looking <span style="color:#a2f;font-weight:bold">for</span> </span></span><span style="display:flex;"><span>security issues. </span></span><span style="display:flex;"><span>No further action should be required. </span></span></code></pre></div><p>And you can see your new <code>Falco</code> pods:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n falco </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>falco-ctmzg 1/1 Running <span style="color:#666">0</span> 111s </span></span><span style="display:flex;"><span>falco-sfnn8 1/1 Running <span style="color:#666">0</span> 111s </span></span><span style="display:flex;"><span>falco-rrg28 1/1 Running <span style="color:#666">0</span> 111s </span></span></code></pre></div><p>The arguments <code>--set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falcosidekick:2801</code> are there configuring the format of events and the URL where <code>Falco</code> will send them. As <code>Falco</code> and <code>Falcosidekick</code> will be in the same namespace, we can directly use the name of the service (<code>falcosidekick</code>).</p> <h2 id="install-falcosidekick">Install Falcosidekick</h2> <p>The process is quite the same:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falcosidekick falcosecurity/falcosidekick --set config.kubeless.namespace<span style="color:#666">=</span>kubeless --set config.kubeless.function<span style="color:#666">=</span>delete-pod -n falco </span></span></code></pre></div><p>You should get this output:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>NAME: falcosidekick </span></span><span style="display:flex;"><span>LAST DEPLOYED: Thu Jan <span style="color:#666">14</span> 23:55:12 <span style="color:#666">2021</span> </span></span><span style="display:flex;"><span>NAMESPACE: falco </span></span><span style="display:flex;"><span>STATUS: deployed </span></span><span style="display:flex;"><span>REVISION: <span style="color:#666">1</span> </span></span><span style="display:flex;"><span>NOTES: </span></span><span style="display:flex;"><span>1. Get the application URL by running these commands: </span></span><span style="display:flex;"><span> <span style="color:#a2f">export</span> <span style="color:#b8860b">POD_NAME</span><span style="color:#666">=</span><span style="color:#a2f;font-weight:bold">$(</span>kubectl get pods --namespace falco -l <span style="color:#b44">&#34;app.kubernetes.io/name=falcosidekick,app.kubernetes.io/instance=falcosidekick&#34;</span> -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> kubectl port-forward <span style="color:#b8860b">$POD_NAME</span> 2801:2801 </span></span><span style="display:flex;"><span> <span style="color:#a2f">echo</span> <span style="color:#b44">&#34;Visit http://127.0.0.1:2801 to use your application&#34;</span> </span></span></code></pre></div><p>We check the logs:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs deployment/falcosidekick -n falco </span></span><span style="display:flex;"><span>2021/01/14 22:55:31 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Enabled Outputs : Kubeless </span></span><span style="display:flex;"><span>2021/01/14 22:55:31 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Falco Sidekick is up and listening on port <span style="color:#666">2801</span> </span></span></code></pre></div><p><code>Kubeless</code> is displayed as enabled output, everything is good πŸ‘.</p> <p>That's it, we really tried to get a nice UX πŸ˜‰.</p> <h2 id="install-our-kubeless-function">Install our Kubeless function</h2> <p>We'll not explain how to write or how to work <code>Kubeless</code> functions, please read the official <a href="https://kubeless.io/docs/">docs</a> for more information.</p> <p>Our basic function will receive events from <code>Falco</code>, thanks to <code>Falcosidekick</code>. Check if the triggered rule is <em>Terminal Shell in container</em>. See <a href="https://github.com/falcosecurity/falco/blob/0d7068b048772b1e2d3ca5c86c30b3040eac57df/rules/falco_rules.yaml#L2063">rule</a>, extract the <em>namespace</em> and <em>pod name</em> from fields of events, and delete the according pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">from</span> <span style="color:#00f;font-weight:bold">kubernetes</span> <span style="color:#a2f;font-weight:bold">import</span> client,config </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>config<span style="color:#666">.</span>load_incluster_config() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">def</span> <span style="color:#00a000">delete_pod</span>(event, context): </span></span><span style="display:flex;"><span> rule <span style="color:#666">=</span> event[<span style="color:#b44">&#39;data&#39;</span>][<span style="color:#b44">&#39;rule&#39;</span>] <span style="color:#a2f;font-weight:bold">or</span> <span style="color:#a2f;font-weight:bold">None</span> </span></span><span style="display:flex;"><span> output_fields <span style="color:#666">=</span> event[<span style="color:#b44">&#39;data&#39;</span>][<span style="color:#b44">&#39;output_fields&#39;</span>] <span style="color:#a2f;font-weight:bold">or</span> <span style="color:#a2f;font-weight:bold">None</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a2f;font-weight:bold">if</span> rule <span style="color:#a2f;font-weight:bold">and</span> rule <span style="color:#666">==</span> <span style="color:#b44">&#34;Terminal shell in container&#34;</span> <span style="color:#a2f;font-weight:bold">and</span> output_fields: </span></span><span style="display:flex;"><span> <span style="color:#a2f;font-weight:bold">if</span> output_fields[<span style="color:#b44">&#39;k8s.ns.name&#39;</span>] <span style="color:#a2f;font-weight:bold">and</span> output_fields[<span style="color:#b44">&#39;k8s.pod.name&#39;</span>]: </span></span><span style="display:flex;"><span> pod <span style="color:#666">=</span> output_fields[<span style="color:#b44">&#39;k8s.pod.name&#39;</span>] </span></span><span style="display:flex;"><span> namespace <span style="color:#666">=</span> output_fields[<span style="color:#b44">&#39;k8s.ns.name&#39;</span>] </span></span><span style="display:flex;"><span> <span style="color:#a2f">print</span> (<span style="color:#b44">f</span><span style="color:#b44">&#34;Deleting pod </span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b68;font-weight:bold">{</span>pod<span style="color:#b68;font-weight:bold">}</span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b44"> in namespace </span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b68;font-weight:bold">{</span>namespace<span style="color:#b68;font-weight:bold">}</span><span style="color:#b62;font-weight:bold">\&#34;</span><span style="color:#b44">&#34;</span>) </span></span><span style="display:flex;"><span> client<span style="color:#666">.</span>CoreV1Api()<span style="color:#666">.</span>delete_namespaced_pod(name<span style="color:#666">=</span>pod, namespace<span style="color:#666">=</span>namespace, body<span style="color:#666">=</span>client<span style="color:#666">.</span>V1DeleteOptions()) </span></span></code></pre></div><p>Basically, the process is:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> +----------+ +---------------+ +----------+ </span></span><span style="display:flex;"><span> | Falco +-----------------&gt; Falcosidekick +--------------------&gt; Kubeless | </span></span><span style="display:flex;"><span> +----^-----+ sends event +---------------+ triggers +-----+----+ </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span>detects a shell | | </span></span><span style="display:flex;"><span> | | </span></span><span style="display:flex;"><span> +----+-------+ deletes | </span></span><span style="display:flex;"><span> | Pwned Pod &lt;----------------------------------------------------------+ </span></span><span style="display:flex;"><span> +------------+ </span></span></code></pre></div><p>Before deploying our function, we need to create a <code>ServiceAccount</code> for it, as it will need the right to delete a pod in any namespace:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -n kubeless -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44">rules: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - apiGroups: [&#34;&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> resources: [&#34;pods&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> verbs: [&#34;get&#34;, &#34;list&#34;, &#34;delete&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#b44">--- </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: ClusterRoleBinding </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role-binding </span></span></span><span style="display:flex;"><span><span style="color:#b44">roleRef: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kind: ClusterRole </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete-cluster-role </span></span></span><span style="display:flex;"><span><span style="color:#b44"> apiGroup: rbac.authorization.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#b44">subjects: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace: kubeless </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>namespace: kubelessetetion.k8s.io </span></span><span style="display:flex;"><span>serviceaccount/falco-pod-delete created </span></span><span style="display:flex;"><span>clusterrole.rbac.authorization.k8s.io/falco-pod-delete-cluster-role created </span></span><span style="display:flex;"><span>clusterrolebinding.rbac.authorization.k8s.io/falco-pod-delete-cluster-role-binding created </span></span></code></pre></div><p>Only remains the installation of our function itself:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>cat <span style="color:#b44">&lt;&lt;EOF | kubectl apply -n kubeless -f - </span></span></span><span style="display:flex;"><span><span style="color:#b44">apiVersion: kubeless.io/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#b44">kind: Function </span></span></span><span style="display:flex;"><span><span style="color:#b44">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> finalizers: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> - kubeless.io/function </span></span></span><span style="display:flex;"><span><span style="color:#b44"> generation: 1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> labels: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> created-by: kubeless </span></span></span><span style="display:flex;"><span><span style="color:#b44"> function: delete-pod </span></span></span><span style="display:flex;"><span><span style="color:#b44"> name: delete-pod </span></span></span><span style="display:flex;"><span><span style="color:#b44">spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> checksum: sha256:a68bf570ea30e578e392eab18ca70dbece27bce850a8dbef2586eff55c5c7aa0 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> deps: | </span></span></span><span style="display:flex;"><span><span style="color:#b44"> kubernetes&gt;=12.0.1 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> function-content-type: text </span></span></span><span style="display:flex;"><span><span style="color:#b44"> function: |- </span></span></span><span style="display:flex;"><span><span style="color:#b44"> from kubernetes import client,config </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44"> config.load_incluster_config() </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44"> def delete_pod(event, context): </span></span></span><span style="display:flex;"><span><span style="color:#b44"> rule = event[&#39;data&#39;][&#39;rule&#39;] or None </span></span></span><span style="display:flex;"><span><span style="color:#b44"> output_fields = event[&#39;data&#39;][&#39;output_fields&#39;] or None </span></span></span><span style="display:flex;"><span><span style="color:#b44"> </span></span></span><span style="display:flex;"><span><span style="color:#b44"> if rule and rule == &#34;Terminal shell in container&#34; and output_fields: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> if output_fields[&#39;k8s.ns.name&#39;] and output_fields[&#39;k8s.pod.name&#39;]: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> pod = output_fields[&#39;k8s.pod.name&#39;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> namespace = output_fields[&#39;k8s.ns.name&#39;] </span></span></span><span style="display:flex;"><span><span style="color:#b44"> print (f&#34;Deleting pod \&#34;{pod}\&#34; in namespace \&#34;{namespace}\&#34;&#34;) </span></span></span><span style="display:flex;"><span><span style="color:#b44"> client.CoreV1Api().delete_namespaced_pod(name=pod, namespace=namespace, body=client.V1DeleteOptions()) </span></span></span><span style="display:flex;"><span><span style="color:#b44"> handler: delete-pod.delete_pod </span></span></span><span style="display:flex;"><span><span style="color:#b44"> runtime: python3.7 </span></span></span><span style="display:flex;"><span><span style="color:#b44"> deployment: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> template: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#b44"> serviceAccountName: falco-pod-delete </span></span></span><span style="display:flex;"><span><span style="color:#b44">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#a2f;font-weight:bold">function</span>.kubeless.io/delete-pod created </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n kubeless </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>kubeless-controller-manager-99459cb67-tb99d 3/3 Running <span style="color:#666">3</span> 3d14h </span></span><span style="display:flex;"><span>delete-pod-d6f98f6dd-cw228 1/1 Running <span style="color:#666">0</span> 2m52s </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get svc -n kubeless </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span style="color:#666">(</span>S<span style="color:#666">)</span> AGE </span></span><span style="display:flex;"><span>delete-pod ClusterIP 10.43.211.201 &lt;none&gt; 8080/TCP 4m38s </span></span></code></pre></div><h2 id="test-our-function">Test our function</h2> <p>We start by creating a dumb pod:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl run alpine -n default --image<span style="color:#666">=</span>alpine --restart<span style="color:#666">=</span><span style="color:#b44">&#39;Never&#39;</span> -- sh -c <span style="color:#b44">&#34;sleep 600&#34;</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Running <span style="color:#666">0</span> 9s </span></span></code></pre></div><p>Let's run a <em>shell</em> command inside and see what happens:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#a2f">exec</span> -i --tty alpine -n default -- sh -c <span style="color:#b44">&#34;uptime&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>23:44:25 up <span style="color:#666">1</span> day, 19:11, load average: 0.87, 0.77, 0.77 </span></span></code></pre></div><p>As expected, we got the result of our command, but, to get the status of the pod now:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl get pods -n default </span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>alpine 1/1 Terminating <span style="color:#666">0</span> 103s </span></span></code></pre></div><p>πŸ’₯ <strong>It has been terminated</strong> πŸ’₯</p> <p>We can now check the logs of components.</p> <p>For <code>Falco</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl logs daemonset/falco -n falco </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#666">{</span><span style="color:#b44">&#34;output&#34;</span>:<span style="color:#b44">&#34;23:39:44.834631763: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=alpine container=5892b41bcf46 shell=sh parent=&lt;NA&gt; cmdline=sh terminal=34817 container_id=5892b41bcf46 image=&lt;NA&gt;) k8s.ns=default k8s.pod=alpine container=5892b41bcf46&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span>:<span style="color:#b44">&#34;Notice&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span>:<span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;time&#34;</span>:<span style="color:#b44">&#34;2021-01-14T23:39:44.834631763Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span>: <span style="color:#666">{</span><span style="color:#b44">&#34;container.id&#34;</span>:<span style="color:#b44">&#34;5892b41bcf46&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span>:null,<span style="color:#b44">&#34;evt.time&#34;</span>:1610667584834631763,<span style="color:#b44">&#34;k8s.ns.name&#34;</span>:<span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span>:<span style="color:#b44">&#34;alpine&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span>:<span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span>:null,<span style="color:#b44">&#34;proc.tty&#34;</span>:34817,<span style="color:#b44">&#34;user.loginuid&#34;</span>:-1,<span style="color:#b44">&#34;user.name&#34;</span>:<span style="color:#b44">&#34;root&#34;</span><span style="color:#666">}}</span> </span></span></code></pre></div><p>For <code>Falcosidekick</code>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs deployment/falcosidekick -n falco </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>2021/01/14 23:39:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Kubeless - Post OK <span style="color:#666">(</span>200<span style="color:#666">)</span> </span></span><span style="display:flex;"><span>2021/01/14 23:39:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Kubeless - Function Response : </span></span><span style="display:flex;"><span>2021/01/14 23:39:45 <span style="color:#666">[</span>INFO<span style="color:#666">]</span> : Kubeless - Call Function <span style="color:#b44">&#34;delete-pod&#34;</span> OK </span></span></code></pre></div><p><em>(Notice, the function returns nothing, this is why the message log is empty)</em></p> <p>For <code>delete-pod</code> function:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl logs deployment/delete-pod -n kubeless </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>10.42.0.31 - - <span style="color:#666">[</span>14/Jan/2021:23:39:45 +0000<span style="color:#666">]</span> <span style="color:#b44">&#34;POST / HTTP/1.1&#34;</span> <span style="color:#666">200</span> <span style="color:#666">0</span> <span style="color:#b44">&#34;&#34;</span> <span style="color:#b44">&#34;Falcosidekick&#34;</span> 0/965744 </span></span><span style="display:flex;"><span>Deleting pod <span style="color:#b44">&#34;alpine&#34;</span> in namespace <span style="color:#b44">&#34;default&#34;</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>With this simple example, we only scratched the surface of possibilities. Everything is possible now, so don't hesitate to share with us on Slack (<a href="https://kubernetes.slack.com">https://kubernetes.slack.com</a> #falco) your comments, ideas and successes. You're always welcome to <a href="https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md">contribute</a>.</p> <p><em>Bonus: You're running <code>Falcosidekick</code> outside <code>Kubernetes</code> but still want to use the <code>Kubeless</code> output? No problem, you can declare a kubeconfig file to use. See <a href="https://github.com/falcosecurity/falcosidekick/blob/master/README.md">README</a>.</em></p> <p><em>Bonus 2: For people who wants to use <code>Knative</code> in place of <code>Kubeless</code>, it's coming soon πŸ˜‰</em></p> <p><em>Enjoy</em></p>