Setting-up a local Kubernetes lab for security
If you already have kubectl installed, you can now use it to access your shiny new cluster:
kubectl get pods -A
Alternatively, minikube can download the appropriate version of kubectl and you should be able to use it like this:
minikube kubectl -- get pods -A
You can also make your life easier by adding the following to your shell config:
alias kubectl="minikube kubectl --"
I was experiencing multi-interface issues:
kubernetes/minikube#13131
hostonlyif remove "VirtualBox Host-Only Ethernet Adapter"
After removing the interface, checked that it was removed before proceeding:
VBoxManage list hostonlyifs
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco --namespace falco --create-namespace
kubectl get pods -n falco -o wide -w
Falco pod was slow initializing:
Get the logs from the pod falco-rq4gs
kubectl logs falco-rq4gs -n falco
Anyways, it worked fine on my EKS cluster
We will start testing on a single-node EKS cluster
There are already a variety of container images available that include Python and commonly used dependencies.
One such example is the official Python Docker image, which provides a base image with Python pre-installed.
I could use different tags of the Python image to specify the Python version you need. I choice 3.9 as it is newer.
apiVersion: apps/v1
kind: Deployment
metadata:
name: falco-alert-handler
spec:
replicas: 1
selector:
matchLabels:
app: falco-alert-handler
template:
metadata:
labels:
app: falco-alert-handler
spec:
containers:
- name: falco-alert-handler
image: python:3.9
command: ["python", "script.py"]
Note: This image includes the Python runtime but no specific additional dependencies required by my Python script.
If my script has additional dependencies, I will either need to customize the Dockerfile or build my own image that includes those dependencies.
import subprocess
from falco import Client
# Set up the Falco client
falco_client = Client()
# Define the action to be taken when a CRITICAL Falco alert is triggered
def handle_critical_alert(alert):
container_id = alert.output.get("container.id")
if container_id:
# Terminate the container by sending a SIGKILL signal
subprocess.run(["docker", "kill", container_id])
print(f"Container {container_id} terminated.")
# Subscribe to Falco alerts and handle them accordingly
falco_client.subscribe("output", lambda alert: handle_critical_alert(alert))
# Start the Falco client
falco_client.run()
I need to ensure I have the necessary dependencies installed, including the falco-python library
Seems after running the below command, there is no matching dependency called falco-python
pip install falco-python
I will also need to have Falco installed and properly configured on my system first
This updated script will listen for Falco alerts and trigger the handle_critical_alert function when a CRITICAL-level alert is received.
It should extract the container.id field from the alert output and use it to terminate the corresponding container using the docker kill command.