From 5e8dc8bce4173d376a8c39cbc88b20c04ba4f019 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 6 Mar 2017 10:45:56 -0800 Subject: [PATCH] Add falco,event generator files for k8s. Add example k8s yaml files that allow for running falco as a k8s daemonset and the event generator as a deployment, running on 1 node. Falco is configured to send its output to a slack webhook corresponding to the #demo-falco-alerts channel on sysdig's public slack channel. The output is is k8s friendly by using -pk, -k (k8s api server), and -K (credentials to communicate with api server). --- examples/k8s-using-daemonset/README.md | 5 ++ .../k8s-using-daemonset/falco-daemonset.yaml | 59 +++++++++++++++++++ .../falco-event-generator-deployment.yaml | 17 ++++++ 3 files changed, 81 insertions(+) create mode 100644 examples/k8s-using-daemonset/README.md create mode 100644 examples/k8s-using-daemonset/falco-daemonset.yaml create mode 100644 examples/k8s-using-daemonset/falco-event-generator-deployment.yaml diff --git a/examples/k8s-using-daemonset/README.md b/examples/k8s-using-daemonset/README.md new file mode 100644 index 00000000..b81b6f3b --- /dev/null +++ b/examples/k8s-using-daemonset/README.md @@ -0,0 +1,5 @@ +=Example K8s Services for Falco= + +The yaml file in this directory installs the following: + - Open Source Falco, as a DaemonSet. Falco is configured to communicate with the K8s API server via its service account, and changes its output to be K8s-friendly. It also sends to a slack webhook for the `#demo-falco-alerts` channel on our [public slack](https://sysdig.slack.com/messages/demo-falco-alerts/). + - The [Falco Event Generator](https://github.com/draios/falco/wiki/Generating-Sample-Events), as a deployment that ensures it runs on exactly 1 node. diff --git a/examples/k8s-using-daemonset/falco-daemonset.yaml b/examples/k8s-using-daemonset/falco-daemonset.yaml new file mode 100644 index 00000000..19ae8ba4 --- /dev/null +++ b/examples/k8s-using-daemonset/falco-daemonset.yaml @@ -0,0 +1,59 @@ +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: falco + labels: + name: falco-daemonset + app: demo +spec: + template: + metadata: + labels: + name: falco + app: demo + role: security + spec: + containers: + - name: falco + image: sysdig/falco:latest + securityContext: + privileged: true + command: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o", "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/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"] + volumeMounts: + - mountPath: /host/var/run/docker.sock + name: docker-socket + readOnly: true + - mountPath: /host/dev + name: dev-fs + readOnly: true + - mountPath: /host/proc + name: proc-fs + readOnly: true + - mountPath: /host/boot + name: boot-fs + readOnly: true + - mountPath: /host/lib/modules + name: lib-modules + readOnly: true + - mountPath: /host/usr + name: usr-fs + readOnly: true + volumes: + - name: docker-socket + hostPath: + path: /var/run/docker.sock + - name: dev-fs + hostPath: + path: /dev + - name: proc-fs + hostPath: + path: /proc + - name: boot-fs + hostPath: + path: /boot + - name: lib-modules + hostPath: + path: /lib/modules + - name: usr-fs + hostPath: + path: /usr diff --git a/examples/k8s-using-daemonset/falco-event-generator-deployment.yaml b/examples/k8s-using-daemonset/falco-event-generator-deployment.yaml new file mode 100644 index 00000000..00789e8c --- /dev/null +++ b/examples/k8s-using-daemonset/falco-event-generator-deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: falco-event-generator-deployment + labels: + name: falco-event-generator-deployment + app: demo +spec: + replicas: 1 + template: + metadata: + labels: + app: falco-event-generator + spec: + containers: + - name: falco-event-generator + image: sysdig/falco-event-generator:latest