Quoting from the official Falco website, Falco "is an open-source cloud-native runtime security project. Falco detects unexpected application behavior and alerts on threats at runtime. With Falco, you can create detection rules to define unexpected application behavior. These rules can be enriched by context from the cloud provider and Kubernetes environments." This guide describes how to secure a K3s cluster running on Civo, using Falco.

Before you begin

  • Create a managed K3s cluster using Civo. For more information, see starting a Civo Kubernetes cluster. If you do not yet have a Civo account, sign up for one here.
  • Ensure that you have installed kubectl to administer the cluster. For more information, see install kubectl.
  • Ensure that you are able to access the cluster from outside the cluster.
    • To manage a Civo K3s cluster, download the civo kubeconfig file and set the path for KUBECONFIG. For example, export KUBECONFIG=~/Downloads/civo-falco-kubeconfig. Alternatively, if you have the Civo CLI installed, you can run civo k3s config your-cluster-name --save --merge.
  • Ensure that you have installed Helm on an external machine from where you want to manage Kubernetes applications, such as your own machine.

Securing your K3s Cluster

  1. Create a falco namespace:

    kubectl create ns falco

  2. Add Falco to the helm repo:

    helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

  3. Install Falco: sh helm install falco falco/falcosecurity

    Output similar to the following appears: sh Name:falco LAST DEPLOYED: Tue Dec 1 16:56:49 2020 NAMESPACE: falco STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Falco agents are spinning up on each node in your cluster. After a few seconds, they are going to start monitoring your containers looking for security issues. No further action should be required.

  4. Check the pods that are running on the cluster using kubectl get pods.

    Output similar to the following appears:

            NAME        READY   STATUS   RESTARTS   AGE
        falco-s6pn9  1/1    Running     0       75s
        falco-52zqb  1/1    Running     0       75s
        falco-rd46z  1/1    Running     0       75s

  5. Simulate a scenario by trying to ssh in as a root user on a node in the cluster, and check the logs using `kubectl logs <pod name>

    Output similar to the following appears:

    Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1         k8s.ns=default k8s.pod=falco-s6pn9 container=8873adbbf043 shell=bash parent=runc cmdline=bash terminal=34816 container_id=8873adbbf043 image=<NA>) k8s.ns=default k8s.pod=falco-s6pn9 container=8873adbbf043

Using Falco, you can detect policy violations using community-sourced detections of malicious activity and CVE exploits. You can then be alerted by plugging Falco into your current security response workflows and processes, such as Prometheus.