Falco is an open-source security tool for Kubernetes designed to detect and alert on unusual behavior within a cluster. Initially developed by Sysdig, Falco monitors system activities in real-time and provides alerts for suspicious events. Its flexibility allows users to create custom rules to monitor various aspects of their containerized environments.
Falco offers runtime security across hosts, containers, Kubernetes, and cloud environments. It detects and alerts on abnormal behavior and potential security threats in real-time. At its core, Falco is an agent that monitors events (such as Linux kernel events and other data sources via plugins) and generates real-time alerts based on user-defined rules. It also enriches these events with contextual metadata from container runtimes and Kubernetes. The alerts can be forwarded to other systems for action or further analysis in SIEM or data lake systems.
Originally created by Sysdig, Falco is now a graduated project of the Cloud Native Computing Foundation (CNCF) and is used in production by various organizations.
Falco uses syscalls to monitor a system’s activity, by:
Falco’s monitoring capabilities are not limited to syscalls as it can be extended via plugins to ingest data from many more types of sources.
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco -n falco --set tty=true --create-namespace falcosecurity/falco
helm install falco -n falco --set tty=true falcosecurity/falco --create-namespace --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true
That’s it! We’ve now successfully installed and run Falco on Kubernetes cluster.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: falco
spec:
ingressClassName: nginx
rules:
- host:
http:
paths:
- backend:
service:
name: falco-falcosidekick-ui
port:
number: 2802
path: /
pathType: Prefix
kubectl apply -f ingress.yaml -n falco
The user can modify the credentials during the Falco installation process by utilizing the helm chart if necessary.
helm upgrade --install falco -n falco --set tty=true falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--set falcosidekick.webui.user=superuser:veryverystrongpassword