mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
c3f7d15e26
Currently, the falco event generator only generates system call activity. This adds support for k8s_audit events by adding a script + supporting k8s object files that generate activity that matches the k8s audit event ruleset. The main script is k8s_event_generator.sh, which loops over the files in the yaml subdirectory, running kubectl apply -f for each. In the interests of keeping things self-contained, all objects are created in a `falco-event-generator` namespace. This means that some activity related with cluster roles/cluster role bindings is not performed. Each k8s object has annotations that note: 1. The specific falco rules that should trigger. 2. A user-friendly message to print when apply-ing the file. You can provide a specific rule name to the script. If provided, only those objects related to that rule will trigger. The default is "all", meaning that all objects are created. The script loops forever, deleting the falco-event-generator namespace after each iteration. Additionally, the docker image has been updated to also copy the script + supporting files, as well as fetching the latest available `kubectl` binary. The entrypoint is now a script that allows choosing between: - syscall activity: run with .... "syscall" - k8s_audit activity: run with .... "k8s_audit" - spawn a shell: run with .... "bash" The default is "syscall" to preserve existing behavior. In most cases, you'll need to provide kube config files/directories that allow access to your cluster. A command like the following will work: ``` docker run -v $HOME/.kube:/root/.kube -it falcosecurity/falco-event-generator k8s_audit ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Falco Dockerfiles
This directory contains the various ways to package Falco as a container.
Currently Supported Containers
falcosecurity/falco Dockerfiles
./dev: Builds a container image from thedevapt repo../stable: Builds a container image from thestableapt repo../local: Builds a container image from a locally provided Falcodpkgpackage.
Build & Testing Dockerfiles
./builder:falcosecurity/falco-builder- The complete build tool chain for compiling Falco from source. See the documentation for more details on building from source../tester:falcosecurity/falco-tester- Container image for running the Falco test suite.
Alpha Release Containers
These Dockerfiles (and resulting container images) are currently in alpha. We'd love for you to test these images and report any feedback.
Slim and Minimal Dockerfiles
The goal of these container images is to reduce the size of the underlying Falco container.
./slim-dev: Like./devabove but removes build tools for older kernels../slim-stable: Like./stableabove but removes build tools for older kernels../minimal: A minimal container image (~20mb), containing only the files required to run Falco.
Init Containers
These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
kernel/linuxkit: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, andinsmodas the containerCMD.kernel/probeloader: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as aninitContainerto load the Falco module before Falco starts.