Skip to content

Managed app for the host-based intrusion detection agent Falco.

License

Notifications You must be signed in to change notification settings

giantswarm/falco-app

Repository files navigation

CircleCI

falco chart

Giant Swarm offers a falco App which can be installed in workload clusters. Here we define the falco chart with its templates and default configuration.

Falco is a host-based intrusion detection system which watches and checks Linux syscalls against a predefined list of rules. Anomalous activity (as defined by the rules) triggers a Falco event, which can be used to alert responders or take automated remediation actions.

Installing

There are several ways to install this app onto a workload cluster.

Configuring

Note: There are currently known compatibility issues when using the Falco kernel module with Flatcar kernel version 5.10.77-flatcar and later. The ebpf driver must be used instead (see the sample user-values-configmap.yaml below).

values.yaml

This is an example of a values file you could upload using our web interface.

# values.yaml

global:
  registry: quay.io

falco:
  podSecurityPolicy:
    create: true
  falco:
    grpc:
      enabled: true
    grpcOutput:
      enabled: true
  customRules:
    {}
    # Example:
    #
    # rules-traefik.yaml: |-
    #   [ rule body ]


falco-exporter:
  podSecurityPolicy:
    create: true

falcosidekick:

Falco Configurations

Please see the below page for configurable values. Falco Configuration

Falco Exporter Configurations

Please see the below page for configurable values. Falco Exporter Configuration

Falco sidekick Configurations

Please see the below page for configurable values. Falco sidekick Configuration

Sample App CR and ConfigMap for the management cluster

If you have access to the Kubernetes API on the management cluster, you could create the App CR and ConfigMap directly.

You can provide additional configuration via a ConfigMap or the web interface.

# user-values-configmap.yaml
# To use the ebpf driver instead of the Falco kernel module:
falco:
  ebpf:
    enabled: "true"

See our full reference page on how to configure applications for more details.

Credit