github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 11:29:26 +00:00
Code Issues Projects Releases Wiki Activity
Files
071e8de075ab8e9a0641aa09348ab50b279b15e5
falco/integrations/kubernetes-response-engine/falco-sns/README.md
Néstor Salceda 071e8de075 Port Kubernetes Response Engine to AWS Technology (#460) 
* Add a falco-sns utility which publishes to an AWS SNS topic

* Add an script for deploying function in AWS Lambda

* Bump dependencies

* Use an empty topic and pass AWS_DEFAULT_REGION environment variable

* Add gitignore

* Install ca-certificates.

Are used when we publish to a SNS topic.

* Add myself as a maintainer

* Decode events from SNS based messages

* Add Terraform manifests for getting an EKS up and running

Please, take attention to setup kubectl  and how to join workers:

https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#obtaining-kubectl-configuration-from-terraform
https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#required-kubernetes-configuration-to-join-worker-nodes

* Ignore terraform generated files

* Remove autogenerated files

* Also publish MessageAttributes which allows to use Filter Policies

This allows to subscribe only to errors, or warnings or several
priorities or by rule names.

It covers same funcionality than NATS publishe does.

* Add kubeconfig and aws-iam-authenticator from heptio to Lambda environment

* Add role trust from cluster creator to lambda role

* Enable CloudWatch for Lambda stuff

* Generate kubeconfig, kubeconfig for lambdas and the lambda arn

This is used by deployment script

* Just a cosmetic change

* Add a Makefile which creates the cluster and configures it

* Use terraform and artifacts which belongs to this repository for deploying

* Move CNCF related deployment to its own directory

* Create only SNS and Lambda stuff.

Assume that the EKS cluster will be created outside

* Bridge IAM with RBAC

This allows to use the role for lambdas for authenticating against
Kubernetes

* Do not rely on terraform for deploying a playbook in lambda

* Clean whitespace

* Move rebased playbooks to functions

* Fix rebase issues with deployment and rbac stuff

* Add a clean target to Makefile

* Inject sys.path modification to Kubeless function deployment

* Add documentation and instructions
2018-11-07 08:34:13 -08:00

913 B
Raw Blame History

SNS output for Sysdig Falco

As Falco does not support AWS SNS output natively, we have created this small golang utility wich reads Falco alerts from a named pipe and sends them to a SNS topic.

This utility is designed to being run in a sidecar container in the same Pod as Falco.

Configuration

You have a complete Kubernetes manifest available for future reading.

Take a look at sidecar container and to the initContainers directive which craetes the shared pipe between containers.

Container image

You have this adapter available as a container image. Its name is sysdig/falco-sns.

Parameters Reference

  • -t: Specifies the ARN SNS topic where message will be published.

  • -f: Specifies the named pipe path where Falco publishes its alerts. By default is: /var/run/falco/nats