Begin with Falco deployment on GKE

Begin with Falco deployment on GKE

Photo by Nathy dog on Unsplash

Background

image.png

What about a HIDS tool for your managed Kubernetes cluster? It has an easy way to do that by using Falco with eBPF probe. One out of three available options. Also, it is a GKE recommendation:

We suggest using the eBPF driver for running Falco on GKE.

Falco is a CNCF solution and you can check it on: falco.org

Requirements

In official documentation, the requirements to use eBPF probe are:

  1. CONFIG_BPF_JIT enabled
  2. FALCO_BPF_PROBE environment variable value set to empty
  3. net.core.bpf_jit_enable set to "1"

Before, let's look at current kernel version:

$ uname -r
5.4.170+

✅ Great! It supports.

Checking CONFIG_BPF_JIT:

$ grep CONFIG_BPF_JIT /boot/config-$(uname -r)
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT=y

✅ Okay, it's enabled.

Checking FALCO_BPF_PROBE:

{{- if .Values.ebpf.enabled }}
  - name: FALCO_BPF_PROBE
    value: {{ .Values.ebpf.path }}
{{- end }}

✅ Okay, the template solves that by default.

Checking net.core.bpf_jit_enable:

$ sudo sysctl net.core.bpf_jit_enable
net.core.bpf_jit_enable = 1

✅ Okay, it's enabled.

Setup

The following Helm Chart command will do the needed setup:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco --set ebpf.enabled=true

Wherein you can put other parameters to enable Falcosidekick with WebUI on the same Helm Chart:

  ...
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true

Check out the available parameters at here.

Ps.: you could load the Yaml manifest with parameter -f values.yaml instead of.

And a Falcosidekick output list at here like Google Cloud Storage, Slack, webhooks etc.

You can look at the created objects with:

$ kubectl get all -n falco

Ready

What's happening right now?

Run a Port Forward to access the UI:

kubectl port-forward svc/falco-falcosidekick-ui 2802:2802 -n falco

Done! Go to the browser: localhost:2802/ui

Then, you`ll see a page like this:

image.png

The default ruleset is applied on. You can custom your settings as you prefer.

ezgif-4-57978f90bc.gif

Enjoy! Thanks.

EXTRAS

If you need to send events to outside through PubSub (log sink), then it's useful.

Parameters for Falcosidekick

falcosidekick:
  enabled: "true"
  gcp:
    pubsub:
      minimumpriority: "error"

Terraform for Google PubSub

module "falcosidekick_pubsub_output" {
  source  = "terraform-google-modules/pubsub/google"
  version = "~> 3.2.0"

  topic      = "falco-topic"
  project_id = "projeto-id"
  push_subscriptions = [
    {
      name                 = "falco-subscription"
      push_endpoint        = "https://gcp-intake.logs.datadoghq.com/api/v2/logs?dd-api-key=${local.falco_api_key}&dd-protocol=gcp"
      ack_deadline_seconds = 20
      x-goog-version       = "v1beta1"
    }
  ]
}