Background
What about a HIDS tool for your managed Kubernetes cluster? It has an easy way to do that by using Falco with eBPF probe. One out of three available options. Also, it is a GKE recommendation:
We suggest using the eBPF driver for running Falco on GKE.
Falco is a CNCF solution and you can check it on: falco.org
Requirements
In official documentation, the requirements to use eBPF probe are:
CONFIG_BPF_JIT
enabledFALCO_BPF_PROBE
environment variable value set to emptynet.core.bpf_jit_enable
set to "1"
Before, let's look at current kernel version:
$ uname -r
5.4.170+
✅ Great! It supports.
Checking CONFIG_BPF_JIT
:
$ grep CONFIG_BPF_JIT /boot/config-$(uname -r)
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT=y
✅ Okay, it's enabled.
Checking FALCO_BPF_PROBE
:
{{- if .Values.ebpf.enabled }}
- name: FALCO_BPF_PROBE
value: {{ .Values.ebpf.path }}
{{- end }}
✅ Okay, the template solves that by default.
Checking net.core.bpf_jit_enable
:
$ sudo sysctl net.core.bpf_jit_enable
net.core.bpf_jit_enable = 1
✅ Okay, it's enabled.
Setup
The following Helm Chart command will do the needed setup:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco --set ebpf.enabled=true
Wherein you can put other parameters to enable Falcosidekick with WebUI on the same Helm Chart:
...
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true
Check out the available parameters at here.
Ps.: you could load the Yaml manifest with parameter -f values.yaml
instead of.
And a Falcosidekick output list at here like Google Cloud Storage, Slack, webhooks etc.
You can look at the created objects with:
$ kubectl get all -n falco
Ready
What's happening right now?
Run a Port Forward to access the UI:
kubectl port-forward svc/falco-falcosidekick-ui 2802:2802 -n falco
Done! Go to the browser: localhost:2802/ui
Then, you`ll see a page like this:
The default ruleset is applied on. You can custom your settings as you prefer.
Enjoy! Thanks.
EXTRAS
If you need to send events to outside through PubSub (log sink), then it's useful.
Parameters for Falcosidekick
falcosidekick:
enabled: "true"
gcp:
pubsub:
minimumpriority: "error"
Terraform for Google PubSub
module "falcosidekick_pubsub_output" {
source = "terraform-google-modules/pubsub/google"
version = "~> 3.2.0"
topic = "falco-topic"
project_id = "projeto-id"
push_subscriptions = [
{
name = "falco-subscription"
push_endpoint = "https://gcp-intake.logs.datadoghq.com/api/v2/logs?dd-api-key=${local.falco_api_key}&dd-protocol=gcp"
ack_deadline_seconds = 20
x-goog-version = "v1beta1"
}
]
}