The easiest way to use Falco on Kubernetes in a local environment is on Minikube.
When running minikube
with the default --driver
arguments, Minikube creates a VM that runs the various Kubernetes services and a container framework to run Pods, etc. Generally, it's not possible to build the Falco kernel module directly on the minikube VM, as the VM doesn't include the kernel headers for the running kernel.
To address this, starting with Falco 0.13.1 a pre-build kernel modules for the last 10 minikube versions are available at https://s3.amazonaws.com/download.draios.com. This allows the download fallback step to succeed with a loadable kernel module. Falco now supports 10 most recent versions of minikube with each new Falco release. Falco currently retains previously-built kernel modules for download and continues to provide limited historical support as well.
You can follow the official Get Started! guide to install.
View minikube Get Started! Guide
Note: Ensure that you have installed kubectl.
To set up Falco with minikube:
Create the cluster with Minikube using a VM driver, in this case Virtualbox:
minikube start --driver=virtualbox
Check that all pods are running:
kubectl get pods --all-namespaces
Add the stable chart to Helm repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
Install Falco using Helm:
helm install falco falcosecurity/falco
The output is similar to:
NAME: falco
LAST DEPLOYED: Wed Jan 20 18:24:08 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Falco agents are spinning up on each node in your cluster. After a few
seconds, they are going to start monitoring your containers looking for
security issues.
No further action should be required.
Tip:
You can easily forward Falco events to Slack, Kafka, AWS Lambda and more with falcosidekick.
Full list of outputs: https://github.com/falcosecurity/charts/falcosidekick.
You can enable its deployment with `--set falcosidekick.enabled=true` or in your values.yaml.
See: https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml for configuration values.
Check the logs to ensure that Falco is running:
kubectl logs -l app=falco -f
The output is similar to:
* Trying to dkms install falco module with GCC /usr/bin/gcc-5
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/5c0b863ddade7a45568c0ac97d037422c9efb750/build/make.log (with GCC /usr/bin/gcc-5)
* Trying to load a system falco driver, if present
* Success: falco module found and loaded with modprobe
Wed Jan 20 12:55:47 2021: Falco version 0.27.0 (driver version 5c0b863ddade7a45568c0ac97d037422c9efb750)
Wed Jan 20 12:55:47 2021: Falco initialized with configuration file /etc/falco/falco.yaml
Wed Jan 20 12:55:47 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Wed Jan 20 12:55:48 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Wed Jan 20 12:55:49 2021: Starting internal webserver, listening on port 8765
kind
lets you run Kubernetes on
your local computer. This tool requires that you have
Docker installed and configured.
Currently not working directly on Mac with Linuxkit, but these directions work on Linux guest OS running kind
.
The kind Quick Start page shows you what you need to do to get up and running with kind.
To run Falco on a kind
cluster is as follows:
Create a configuration file. For example: kind-config.yaml
Add the following to the file:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
extraMounts:
# allow Falco to use devices provided by the kernel module
- hostPath: /dev
containerPath: /dev
# allow Falco to use the Docker unix socket
- hostPath: /var/run/docker.sock
containerPath: /var/run/docker.sock
Create the cluster by specifying the configuration file:
kind create cluster --config=./kind-config.yaml
Install Falco on a node in the kind cluster. To install Falco as a daemonset on a Kubernetes cluster use Helm. For more information about the configuration of Falco charts, see https://github.com/falcosecurity/charts/tree/master/falco.
MicroK8s is the smallest, fastest multi-node Kubernetes. Single-package fully conformant lightweight Kubernetes that works on Linux, Windows and Mac. Perfect for: Developer workstations, IoT, Edge, CI/CD.
You can follow the official Getting Started guide to install.
View MicroK8s Getting Started Guide
To run Falco on MicroK8s:
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.