This project was developed as a "module" for the falco-argo-container-isolation, and content available in this repository is supposed to be deployed on top of the falco-argo-container-isolation one. The main go is to enable a Falco rule to identify containers being spawned as root into a Kubernetes cluster, and notify these events through Slack. Falco can notify basically anything, but in order to keep things simple and show its power, only new containers running as root will trigger the notification.
- Add the required configuration to enable Falco to identify containers running as root in a Kubernetes cluster
- Sends a Slack webhook to a specific Slack channel
The following is required to run this project properly:
- Clone the repo
- Create a new app to send webhooks to a Slack channel. Refer to their documentation for guidence
- Replace the
REPLACE_MEin theconfig/faldosickick-patch.yamlwith the Slack webhook url - Install its content using
make install
This project is distributed under GNU GPLv3. See LICENSE.