Skip to content

Try Falco on Kubernetes with WebUI

Published: at 05:40 PM

Try Falco on Kubernetes with WebUI

Instructions to deploy a sample Kubernetes VM with Falco on it on my Windows host. I also provide a Vagrantfile which automates the process for you.

Table of Contents

Open Table of Contents

Installation

First we need to install Vagrant according to the official page.

Then we setup a basic Ubuntu VM with vagrant and ssh into it:

vagrant init bento/ubuntu-20.04
vagrant up
vagrant ssh

Install helm, kubectl, and k3s:

Helm:

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Kubectl:

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

k3s:

curl -sfL https://get.k3s.io | sh -

We need to add the Kubeconfig file to the environment variables:

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

Install falco using helm

Helm is the simplest way to deploy Falco and Falcosidekick.

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Create a namespace in which to run Falco:

kubectl create namespace falco

Now we can install falco on the cluster, make sure to enable the webui parameter:

helm install falco -n falco --set driver.kind=ebpf --set tty=true falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true

Check if Falco is successfully installed (all pods should be in a Running state):

kubectl get pods -n falco

Run a Test

Now that we have everything setup, we can test if Falco is working correctly. For that, we will create a basic pod and run a exec command to simulate suspicious activity:

kubectl run alpine --image alpine -- sh -c "sleep infinity"
kubectl exec -it alpine -- sh -c "uptime"

We need to get the ip of our VM and port forward our WebUI service to be able to access it from our Host Machine.

ip a
kubectl port-forward svc/falco-falcosidekick-ui 2802:2802 --address 0.0.0.0 -n falco

Access the Falco UI in your browser like this: http://<ip>:2801/
Use the default credentials admin:admin to login. We can see now under the EVENTS tab that a shell was spawned.

alt text

Vagrantfile

Here is a Vagrantfile provided which automates the process of installing Falco and its WebUI on a vm.

Vagrant.configure("2") do |config|

  config.vm.box = "bento/ubuntu-20.04"

  config.vm.network "public_network"

  config.vm.provision "shell", inline: <<-SHELL
    apt-get update
    curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
    chmod 700 get_helm.sh
    ./get_helm.sh
    curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
    curl -sfL https://get.k3s.io | sh -
    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

    helm repo add falcosecurity https://falcosecurity.github.io/charts
    helm repo update
    kubectl create namespace falco
    helm install falco -n falco --set driver.kind=ebpf --set tty=true falcosecurity/falco \
    --set falcosidekick.enabled=true \
    --set falcosidekick.webui.enabled=true

  SHELL
end