We describe the steps taken to use Falco for auditing on Kubernetes:
1) Deploy Falco to your Kubernetes cluster
2) Define your audit policy and webhook configuration
3) Restart the API Server to enable Audit Logging
4) Observe Kubernetes audit events at Falco
1) can be done with the help of a chart from stable/Falco
helm install --name my-release stable/Falco
Note Rbac is enabled with :
kubectl create -f k8s-with-rbac/falco-account.yaml
serviceaccount "falco-account" created
clusterrole "falco-cluster-role" created
clusterrolebinding "falco-cluster-role-binding" created
k8s-using-daemonset$
A service is created that allows other services to reach the embedded webserver in falco via port 8765:
k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-service.yaml
service/falco-service created
2) The webhook is installed with:
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s_audit
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
The Kubernetes audit is configured with a Kube-config file and kube-apiserver as follows:
cat <<EOF > /etc/kubernetes/audit-webhook-kubeconfig
apiVersion: v1
kind: Config
clusters:
- cluster:
server: http://<ip_of_falco>:8765/k8s_audit
name: falco
contexts:
- context:
cluster: falco
user: ""
name: default-context
current-context: default-context
preferences: {}
users: []
EOF
And the kube-server is launched with the following api commands:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-webhook-config-file=/etc/kubernetes/audit-webhook-kubeconfig
Rules can be customized with k8s_audit_rules.yaml file.
3)
A script enable-k8s-audit.sh performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc.
The same script can be modified to add a default log backend with commandline arguments:--audit-log-path, --audit-log-format, --audit-log-truncate-enabled and --audit-policy-file
4) Kubernetes audit events will then be routed to the falco daemonset within the cluster
Verify that the falco was setup correctly with
kubectl logs -l app=falco
1) Deploy Falco to your Kubernetes cluster
2) Define your audit policy and webhook configuration
3) Restart the API Server to enable Audit Logging
4) Observe Kubernetes audit events at Falco
1) can be done with the help of a chart from stable/Falco
helm install --name my-release stable/Falco
Note Rbac is enabled with :
kubectl create -f k8s-with-rbac/falco-account.yaml
serviceaccount "falco-account" created
clusterrole "falco-cluster-role" created
clusterrolebinding "falco-cluster-role-binding" created
k8s-using-daemonset$
A service is created that allows other services to reach the embedded webserver in falco via port 8765:
k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-service.yaml
service/falco-service created
2) The webhook is installed with:
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s_audit
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
The Kubernetes audit is configured with a Kube-config file and kube-apiserver as follows:
cat <<EOF > /etc/kubernetes/audit-webhook-kubeconfig
apiVersion: v1
kind: Config
clusters:
- cluster:
server: http://<ip_of_falco>:8765/k8s_audit
name: falco
contexts:
- context:
cluster: falco
user: ""
name: default-context
current-context: default-context
preferences: {}
users: []
EOF
And the kube-server is launched with the following api commands:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-webhook-config-file=/etc/kubernetes/audit-webhook-kubeconfig
Rules can be customized with k8s_audit_rules.yaml file.
3)
A script enable-k8s-audit.sh performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc.
The same script can be modified to add a default log backend with commandline arguments:--audit-log-path, --audit-log-format, --audit-log-truncate-enabled and --audit-policy-file
4) Kubernetes audit events will then be routed to the falco daemonset within the cluster
Verify that the falco was setup correctly with
kubectl logs -l app=falco
No comments:
Post a Comment