From 893554e0f02c5636c6c4fbb669de40bb946b62b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Tue, 10 Jul 2018 13:44:02 +0200 Subject: [PATCH] Add README for the kubernetes response engine --- kubernetes-response-engine/README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 kubernetes-response-engine/README.md diff --git a/kubernetes-response-engine/README.md b/kubernetes-response-engine/README.md new file mode 100644 index 00000000..6343027b --- /dev/null +++ b/kubernetes-response-engine/README.md @@ -0,0 +1,27 @@ +# Kubernetes Response Engine for Sysdig Falco + +The goal of this project is to create a response engine for Kubernetes which is +able to execute playbooks to different types of security threats in our +cointainer fleet alerted by Falco. + +There are several principles which guides our decisions (in no particular order): + +* Real time responses to a security threat: We need to react as soon as possible. +* Deployment independence: Each playbook is independent of others. +* Open Source Software: We want to use and promote OSS. +* Write rock solid code: Each playbook is tested. + +## Alert lifecycle outline + +An alert travels by our system, these are the typical stages for an alert: + +1. *Falco* detects an alert in one container which belongs to our fleet +2. *Falco* sends the alert to *NATS* using a topic compound by "falco.." +3. *NATS* delivers message to its subscribers through *Kubeless* infrastructure +4. *Kubeless* receives the alert and pass it to inner *Playbook* +6. *Playbook* performs its inner action: Stopping the container, Sending an alert to Slack ... + +## Glossary + +* *Alert*: Falco sends alerts +* *Playbook*: Each piece of Python code which is run when an alert is received