In the previous scenario, Practical example of Kubernetes runtime security with Falco, you learned how to investigate what happened with a defunct pod.
If you have not done it yet, it's a good idea to complete that scenario before going on with this one.
Being able to investigate an issue was nice, but what would be truly great is if, somehow, Falco automagically executed a certain action to respond to a security threat.
This is called a response engine. It works like this:
- Falco monitors containers and processes to alert on unexpected behavior. This is defined through the runtime policy built from multiple rules that define what the system should and shouldn't do.
- falco-nats forwards the alert to a message broker service, into a topic compound by
- NATS, our message broker, delivers the alert to any subscribers to the different topics.
- Kubeless, a Function as a Service (FaaS) framework that runs in Kubernetes, receives the security events and executes the configured playbooks.
A playbook is the piece code executed when an alert is received to respond to that threat in an automated way. Some examples include:
- sending an alert to Slack
- stop the pod killing the container
- taint the specific node where the pod is running
Based on Sysdig Blog articles: https://sysdig.com/blog/.
In this course you experimented with Sysdig Falco Response Engine. You learned how to deploy playbooks that respond automatically to a certain security threat taking appropriate actions.
Eager to learn more? These are some recommended further steps:
Blocking security threats with Falco Response Engine
Setting up the environment
We have set up a Kubernetes cluster just for you.
On the right you can see the terminal of the
master node, from which you can interact with the cluster using the
kubectl tool, which is already configured.
For instance, you can get the details of the cluster executing
You can view the nodes in the cluster with the command
kubectl get nodes
You should see 2 nodes: one master and a worker.
Check that you are admin:
kubectl auth can-i create node
You can view the current status of our cluster using the command
kubectl get pod -n kube-system