Difficulty: medium
Estimated Time: 20 minutes

In the previous scenario, Practical example of Kubernetes runtime security with Falco, you learned how to investigate what happened with a defunct pod.

If you have not done it yet, it's a good idea to complete that scenario before going on with this one.

Being able to investigate an issue was nice, but what would be truly great is if, somehow, Falco automagically executed a certain action to respond to a security threat.

This is called a response engine. It works like this:

  • Falco monitors containers and processes to alert on unexpected behavior. This is defined through the runtime policy built from multiple rules that define what the system should and shouldn't do.
  • falco-nats forwards the alert to a message broker service, into a topic compound by falco.<severity>.<rule_name_slugified>.
  • NATS, our message broker, delivers the alert to any subscribers to the different topics.
  • Kubeless, a Function as a Service (FaaS) framework that runs in Kubernetes, receives the security events and executes the configured playbooks.

A playbook is the piece code executed when an alert is received to respond to that threat in an automated way. Some examples include:

  • sending an alert to Slack
  • stop the pod killing the container
  • taint the specific node where the pod is running


Based on Sysdig Blog articles: https://sysdig.com/blog/.

In this course you experimented with Sysdig Falco Response Engine. You learned how to deploy playbooks that respond automatically to a certain security threat taking appropriate actions.

Eager to learn more? These are some recommended further steps:

Blocking security threats with Falco Response Engine

Step 1 of 7

Setting up the environment

We have set up a Kubernetes cluster just for you.
On the right you can see the terminal of the master node, from which you can interact with the cluster using the kubectl tool, which is already configured.

For instance, you can get the details of the cluster executing kubectl cluster-info

You can view the nodes in the cluster with the command kubectl get nodes

You should see 2 nodes: one master and a worker.

Check that you are admin: kubectl auth can-i create node

You can view the current status of our cluster using the command kubectl get pod -n kube-system