How to deploy Falco on Kubernetes (EKS)
Learn how to deploy Falco on Kubernetes (EKS) and leverage its real-time threat detection capabilities to enhance the security of your containerized applications.
Overview
In this article, we will explore the process of deploying Falco, the powerful open-source cloud-native runtime security tool, on Kubernetes using Amazon EKS (Elastic Kubernetes Service) and Helm. We will guide you through step-by-step instructions to set up Falco in your EKS cluster and demonstrate how to apply custom rules to tailor its threat detection capabilities, empowering you to enhance the security posture of your containerized applications effectively.
At a high-level overview, we will go through the following steps to deploy Falco on Kubernetes (Elastic Kubernetes Service - EKS) using Helm, ensuring a robust and efficient security solution for your containerized applications:
- Prepare the EKS cluster, ensuring it meets the necessary prerequisites for Falco installation.
- Deploy Falco onto the EKS cluster using Helm, simplifying the installation and configuration process.
- Demonstrate how to apply custom rules, tailoring its threat detection capabilities to suit your specific security requirements.
By the end of this comprehensive guide, you will have a well-equipped Falco implementation, actively safeguarding your Kubernetes environment and providing real-time threat detection for enhanced application security.
Prerequisite
Before you start deploying Falco on Kubernetes using Helm, make sure you have the following prerequisites ready:
- An AWS account
- Helm installed on your local machine.
- Kubectl client to interact EKS cluster.
- AWS CLI with your AWS account credentials, follow the document to configure the credential on your local machine.
- EKS cluster deployed on the AWS account, assume that we can access the EKS cluster from your local machine (public cluster endpoint access with whitelisted IP addresses or VPN). If you have not installed yet, follow the how to deploy EKS cluster.
Implement
Setup IAM role service account
A IAM role need to create to allow falco connect to AWS CloudWatch for monitoring AWS EKS audit log.
data "aws_iam_policy_document" "falco_assume_role" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
effect = "Allow"
condition {
test = "StringEquals"
variable = "oidc.eks.<AWS_REGION_ID>.amazonaws.com/id/<AWS_EKS_OIDC_ID>:sub"
values = ["system:serviceaccount:falco:falco"]
}
principals {
identifiers = ["arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<AWS_REGION_ID>.amazonaws.com/id/<AWS_EKS_OIDC_ID>"]
type = "Federated"
}
}
}
data "aws_iam_policy_document" "falco_secret" {
statement {
sid = "ReadAccessToCloudWatchLogs"
actions = [
"logs:Describe*",
"logs:FilterLogEvents",
"logs:Get*",
"logs:List*"
]
effect = "Allow"
resources = ["arn:aws:logs:<AWS_REGION_ID>:<AWS_ACCOUNT_ID>:log-group:/aws/eks/app/cluster:*"]
}
}
resource "aws_iam_role" "falco_secret" {
assume_role_policy = data.aws_iam_policy_document.falco_assume_role.json
name = "system-galireview-falco-role"
}
resource "aws_iam_role_policy" "falco_secret" {
name = "system-galireview-falco-manager-policy"
role = aws_iam_role.falco_secret.name
policy = data.aws_iam_policy_document.falco_secret.json
}from the above code block, replace the following information:
- AWS_ACCOUNT_ID: your aws account id
- AWS_REGION_ID: your aws regoion id
- AWS_EKS_OIDC_ID: EKS oidc id copied from ESK console
Prepare helm chart
From local create a folder name: falco, after that create the following files:
Chart.yaml
apiVersion: v2
appVersion: 0.35.1
description: Falco
name: falco
version: 3.4.1values.yaml
falco:
serviceAccount:
name: falco
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/system-galiops-falco-worker-role
falco:
rules_file:
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/rules.d
plugins:
- name: k8saudit-eks
library_path: libk8saudit-eks.so
init_config:
shift: 10
polling_interval: 10
use_async: false
buffer_size: 500
open_params: "<AWS_EKS_CLUSTER_NAME>"
- name: json
library_path: libjson.so
init_config: ""
load_plugins: [k8saudit-eks, json]
falcosidekick:
enabled: true
driver:
enabled: false
collectors:
enabled: false
controller:
kind: deployment
deployment:
replicas: 1
falcoctl:
indexes:
- name: falcosecurity
url: https://falcosecurity.github.io/falcoctl/index.yaml
artifact:
install:
enabled: true
follow:
enabled: true
config:
artifact:
allowedTypes:
- plugin
- rulesfile
install:
resolveDeps: false
refs: [k8saudit-rules:0, k8saudit-eks:0, json:0]
follow:
refs: [k8saudit-rules:0]Identify the EKS cluster name and AWS account id and replace to AWS_ACCOUNT_ID and AWS_EKS_CLUSTER_NAME respectively. After that, create a empty folder name charts and run the following command to download the template package version 3.4.1. You can also download the latest helm version from the ArtifactHub Falco security helm. Run the following command to deploy falco on EKS:
# cd into the helm folder
kubectl create ns falco # to create falco namespace where k8s falco objects locate
helm install falco . -n falco -f values.yamlVerification
To make sure the falco deploy successful, we might need to do some sanity checking:
- Kubernetes pods in running state.
- Checking the falco pod logs, shows the status: "Opening 'k8s_audit' source with plugin 'k8saudit-eks'".
- We can also generate some abnormal activity to make sure falco function correct.
An example about the output when deploying falco on Kubernetes (EKS)
Conclusion
In conclusion, deploying Falco on Kubernetes (EKS) is a significant step towards fortifying your Kubernetes environment's security posture. By combining the power of Kubernetes with Falco's real-time monitoring and threat detection capabilities, you can create a robust security foundation for your applications and infrastructure.
We hope this article has provided you with the knowledge and confidence to deploy Falco effectively.