Setting up falco+falcosidekick+ui in kubernetes cluster

Today, Cloud Native Security is more and more important. the Falco is sysdig open source cloud security tools.

We can install to independent host or kubernetes cluster Please reference previous post about basic and install falco:

Change every independent machine hostname to a meaningful name

1hostnamectl set-hostname qa-performance-testing

Change macro ignore the itself rules

  • change the /etc/falco/falco_rules.yaml to exclude falco event when falco upgrade check the writable
1# add /etc/falco/._check_writable to not fd.name 
2 - macro: write_etc_common
3   condition: >
4        and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc, /etc/falco/._check_writable)
  • restart the falco service systemctl restart falco-bpf

Custom compile the driver of kernel

1#!/usr/bin/env bash
2
3# compile the amazon linux2 kernel specification version for ebpf and kernel for falco
4docker run -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/output:/falco/output -ti  falcosecurity/driverkit:latest driverkit docker --kernelrelease 5.4.238-148.346.amzn2.x86_64  --target amazonlinux2 --output-module /falco/output/5.4.238-148.346.ko --output-probe /falco/output/5.4.238-148.346.o --kernelurls "http://52.45.193.166/mirrors/http/amazonlinux.us-east-1.amazonaws.com/amazon_linux_2/kernel-devel-5.4.238-148.346.amzn2.x86_64.rpm" --driverversion 4.0.0+driver
1
2# you can also view download the pages find other versions
3docker run -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/:/tmp -ti --rm  falcosecurity/driverkit:latest driverkit docker --kernelrelease 5.13.0-1022-aws  --target ubuntu-aws --output-module /tmp/falco_ubuntu-aws_5.13.0-1022-aws_24.ko --output-probe /tmp/falco_ubuntu-aws_5.13.0-1022-aws_24.o --kernelurls "http://security.ubuntu.com/ubuntu/pool/main/l/linux-aws-5.13/linux-aws-5.13-headers-5.13.0-1022_5.13.0-1022.24~20.04.1_all.deb,http://security.ubuntu.com/ubuntu/pool/main/l/linux-aws-5.13/linux-headers-5.13.0-1022-aws_5.13.0-1022.24~20.04.1_amd64.deb" --driverversion 4.0.0+driver
  • driverversion need reference driver libs you can use branch or tags or commitid to compile the probe
  • May in host temp folder random named you can tree find
1├── snap-private-tmp
2│   └── snap.docker
3│       └── tmp
4│           └── output
5│               └── output
6│                   ├── 5.4.238-148.346.ko
7│                   ├── 5.4.238-148.346.o
  • Use custom url to load the driver
1# set environment variable
2export DRIVERS_REPO=http://localhost:8080
3# the http serve the static file path like following 
4# {WEB_ROOT}/4.0.0+driver/x86_64/*.o
5# loader program should access to : http://localhost:8080/4.0.0%2Bdriver/x86_64/falco_ubuntu-aws_5.13.0-1022-aws_24.o
6# load the driver
7falco-driver-loader bpf

Get the falco helm chart package

Independent install the falcosidekick component for recevie the event from other falco agent

1# add the repo repository
2helm repo add falcosecurity https://falcosecurity.github.io/charts
3# pull the falcosidekick package
4helm pull falcosecurity/falcosidekick
5#