Installing Falco

投稿日 投稿者 todo6ki

DigitalOceanのManaged k8s clusterにFalcoをインストールしてみる。

Falcoインストール

helm repo追加

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

インストール

helm install falco falcosecurity/falco -n monitoring

ステータス確認

kubectl -n monitoring get all --selector app=falco
NAME              READY   STATUS    RESTARTS   AGE
pod/falco-277hd   1/1     Running   0          23h
pod/falco-6rqrd   1/1     Running   0          23h
pod/falco-zm822   1/1     Running   0          23h

NAME                   DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/falco   3         3         3       3            3           <none>          23h

Falcoの動作確認

Loki/logcliでfalco podのログを確認

export LOKI_ADDR=http://localhost:3100
kubectl -n monitoring port-forward svc/loki 3100:3100

下記のようなログが出力されており、動作はしているみたい。

2022-01-12T19:46:56+09:00 {filename="/var/log/pods/monitoring_falco-zm822_ab719373-b5eb-432e-aba9-88b8d0619fd5/falco/0.log", pod="falco-zm822"} 2022-01-12T10:46:55.954335586Z stdout F 10:46:55.936548438: Notice Packet socket was created in a container (user=root user_loginuid=-1 command=cilium-agent --kvstore=etcd --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config --config-dir=/tmp/cilium/config-map --enable-node-port=true --enable-host-port=true --enable-health-check-nodeport=false --kube-proxy-replacement=partial --enable-host-reachable-services=false --enable-egress-gateway=false --arping-refresh-period=30s socket_info=domain=17(AF_PACKET) type=3 proto=1544  container_id=9ebe81a9f2d1 container_name=cilium-agent image=docker.io/digitalocean/cilium:1.10.1-con-4989) k8s.ns=kube-system k8s.pod=cilium-d45js container=9ebe81a9f2d1 k8s.ns=kube-system k8s.pod=cilium-d45js container=9ebe81a9f2d1
2022-01-12T19:46:54+09:00 {filename="/var/log/pods/monitoring_falco-6rqrd_7404ca1e-f027-4375-856f-f4373637cecb/falco/0.log", pod="falco-6rqrd"} 2022-01-12T10:46:54.404894157Z stdout F 10:46:54.392775696: Notice Packet socket was created in a container (user=root user_loginuid=-1 command=cilium-agent --kvstore=etcd --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config --config-dir=/tmp/cilium/config-map --enable-node-port=true --enable-host-port=true --enable-health-check-nodeport=false --kube-proxy-replacement=partial --enable-host-reachable-services=false --enable-egress-gateway=false --arping-refresh-period=30s socket_info=domain=17(AF_PACKET) type=3 proto=1544  container_id=1cd95eda1102 container_name=cilium-agent image=docker.io/digitalocean/cilium:1.10.1-con-4989) k8s.ns=kube-system k8s.pod=cilium-k4xg8 container=1cd95eda1102 k8s.ns=kube-system k8s.pod=cilium-k4xg8 container=1cd95eda1102
2022-01-12T19:46:52+09:00 {filename="/var/log/pods/monitoring_falco-277hd_46e708ef-9986-4aad-aab5-8cb122c48ef5/falco/0.log", pod="falco-277hd"} 2022-01-12T10:46:52.584142451Z stdout F 10:46:52.581403259: Notice Packet socket was created in a container (user=root user_loginuid=-1 command=cilium-agent --kvstore=etcd --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config --config-dir=/tmp/cilium/config-map --enable-node-port=true --enable-host-port=true --enable-health-check-nodeport=false --kube-proxy-replacement=partial --enable-host-reachable-services=false --enable-egress-gateway=false --arping-refresh-period=30s socket_info=domain=17(AF_PACKET) type=3 proto=1544  container_id=ea4a6e4181c7 container_name=cilium-agent image=docker.io/digitalocean/cilium:1.10.1-con-4989) k8s.ns=kube-system k8s.pod=cilium-cd24t container=ea4a6e4181c7 k8s.ns=kube-system k8s.pod=cilium-cd24t container=ea4a6e4181c7

試しにwordpress podにログインしてみる

kubectl exec -n wp -it wordpress-75ddd98655-mnn4t -c wordpress -- bash                                                                                               ✘ 1
I have no name!@wordpress-75ddd98655-mnn4t:/$

そうすると、下記のようなログが出力される。

logcli query '{namespace="monitoring", container="falco"}|="wordpress"'
2022-01-12T19:52:18+09:00 {} 2022-01-12T10:52:17.562335509Z stdout F 10:52:17.550759111: Notice A shell was spawned in a container with an attached terminal (user=<NA> user_loginuid=-1 k8s.ns=wp k8s.pod=wordpress-75ddd98655-mnn4t container=6fc8a03d065d shell=bash parent=runc cmdline=bash terminal=34816 container_id=6fc8a03d065d image=docker.io/bitnami/wordpress) k8s.ns=wp k8s.pod=wordpress-75ddd98655-mnn4t container=6fc8a03d065d

備考

DigitalOcean k8s(DOKS)ではこの手順でインストール出来たが、GCP GKEにインストールする場合は下記手順が必要になる。

https://falco.org/ja/docs/getting-started/third-party/#gke

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です