
Kubernetes Response Engine, Part 9: Falcosidekick + Fission
This blog post is part of a series of articles about how to create a
Kubernetes
response engine withFalco
,Falcosidekick
and aFaaS
.See other posts:
- Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless
- Kubernetes Response Engine, Part 2 : Falcosidekick + OpenFaas
- Kubernetes Response Engine, Part 3 : Falcosidekick + Knative
- Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton
- Kubernetes Response Engine, Part 5 : Falcosidekick + Argo
- Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run
- Kubernetes Response Engine, Part 7 : Falcosidekick + Cloud Functions
- Kubernetes Response Engine, Part 8: Falcosidekick + Flux v2
The earlier posts in this series, show how to use Kubeless, Argo, Knative, and others to trigger a resource after getting input from Falcosidekick. Recently, Falcosidekick received a new output type support for Fission.
In this blog post, we will cover using Falcosidekick
and Fission
to detect and delete a compromised pod in a Kubernetes cluster.
We will briefly talk about Fission in this blog, however, you can check the complete documentation here.
Prerequisites
We need tools with the following minimum versions to achieve this demo:
- Minikube v1.19.0
- Helm v3.5.4
- kubectl v1.21.0
- fission-cli v1.13.1
Provision local Kubernetes Cluster
There are various ways to provision a local Kubernetes cluster such as, KinD, k3s, k0s, Minikube, etc. We are going to use Minikube in this walkthrough.
Let's get provisioned a local Kubernetes cluster:
Install Fission
Fission is a fast, open source serverless framework for Kubernetes with a focus on developer productivity and high performance. Fission operates on just the code: Docker and Kubernetes are abstracted away under normal operation, though you can use both to extend Fission if you want to.
Follow the official documentation for deploying Fission to Kubernetes.
Here we will be using Helm to install Fission:
Check if everything is working before moving onto the next step:
Install Falco + Falcosidekick
Firstly, we'll create the namespace that will host both Falco
and Falcosidekick
:
We add the helm
repo:
In a real project, you should get the whole chart with helm pull falcosecurity/falco --untar
and then configure
the values.yaml
. For this tutorial, will try to keep thing as easy as possible and set configs directly
by passing arguments to helm install
command line:
You should get this output:
And you can see your new Falco
and Falcosidekick
pods:
The argument falcosidekick.enabled=true
sets the following settings in Falco for you:
The
arguments --set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falco-falcosidekick:2801
are there to configure the format of events and the URL where Falco
will send them.
As Falco
and Falcosidekick
will
be in the same namespace, it can directly use the name of the service (falco-falcosidekick
) above Falcosidekick
pods.
We check the logs:
Fission
is displayed as enabled output, everything is good 👍.
Install our Fission Function
Our really basic function will receive events from Falco
, thanks to Falcosidekick
, check if the triggered rule is
Terminal Shell in container,
extract the namespace and pod name from the fields of events and delete the according pod:
Basically, the process is:
Let's get the function and other artifacts:
$ git clone https://github.com/fission/examples.git && cd examples/sample/falco
The function we are going to deploy basically receives events for an infected pod from the Falcosidekick and deletes it immediately.
Before deploying the function we need some permissions to delete Pod.
We create a ServiceAccount
with rights to delete a Pod in any namespace, and we'll associate it to our function:
Let's create the service account with:
The falco-pod-delete/handler.go
contains our function:
A fission function requires an environment/runtime to run.
The yaml
definitions for the runtime, the function and the router are available under the specs
directory.
Now, we are ready to deploy our falco-pod-delete function using the specs:
Check if the package was built successfully for our fission function before moving to the next step:
Test our function
We start by creating a dumb pod:
Let's run a shell command inside and see what happens:
As expected we got the result of our command, but, if we get the status of the pod we retrieve:
💥 It has been terminated 💥
We can now check the logs of components.
For Falco
:
For Falcosidekick
:
For falco-delete-pod function:
Conclusion
With this really simple example, we got another way to create a Response Engine with amazing pieces of software from the Open Source world. We only scratched the surface of possibilities, so don't hesitate to share with us your comments, ideas and successes.
If you would like to find out more about Falco:
- Get started in Falco.org.
- Check out the Falco project in GitHub.
- Get involved in the Falco community.
- Meet the maintainers on the Falco Slack.
- Follow @falco_org on Twitter.