Date   

Re: Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)

Rajeev
 

it is showing pods properly. 

Generated the activity like below:
touch /etc/2
cat /etc/shadow > /dev/null 2>&1


I don't see any new logs on Falco pods. Falco pods are running in default namespace.  Even i am trying to generate is on different namespace. Will there be any affect due to this?

How can i validate if daemon is running on any node?



From: cncf-falco-dev@... <cncf-falco-dev@...> on behalf of Spencer Krum via lists.cncf.io <nibz=spencerkrum.com@...>
Sent: 22 February 2021 22:02
To: cncf-falco-dev@... <cncf-falco-dev@...>
Subject: Re: [cncf-falco-dev] Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)
 
Hi Rajeev,

Can you show the output of several commands for us?

helm list

kubectl get ds -o wide

kubectl get node

kubectl get pod -o wide | grep falco

If you can find a falco pod you can run `kubectl logs <pod>` directly to see if it's generating anything on stdout. And you can create synthetic events as mentioned in that blog post.

Hope this helps!
Spencer

On Mon, Feb 22, 2021, at 10:13 AM, Rajeev wrote:


It is not reporting logs. not sure if i missed any important step.

Could you please point me to any reference document which i can replicate and validate working setup 
or
 throw some pointers like installing as daemon and validating installation.






From: Dan Miles (UK) <daniel.miles@...>
Sent: 22 February 2021 19:54
To: Rajeev <rajeev@...>
Cc: cncf-falco-dev@... <cncf-falco-dev@...>
Subject: Re: [cncf-falco-dev] Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)
 
Hi Rajeev,

The correct pattern here is not a sidecar but a daemonset. 

We do something similar with GKE and ephemeral nodes, a daemonset will ensure that Falco is available across each node as they come up. 

A sidecar really isn’t the pattern here

-Dan


On Mon, 22 Feb 2021 at 13:25, Rajeev <rajeev@...> wrote:

Hi, 

   We are using amazon Elastic Kubernetes Service with no dedicated nodes to deploy our stateless services. Now i want to use Falco for runtime container security. But as EKS spins ephemeral pods on dynamic nodes, i was not able to install Falco. 

Some developers are suggesting to run it as sidecar container in each pod so that it listens from there and logs which can be transferred to Amazon CloudWatch.

Can someone point me to docker image of falco to run as side car container. also share if there are any published resources available to deploy falco into EKS


Thanks,
Rajeev




-------------------- End of message text --------------------
We're working with our industry experts to provide businesses with the information they need to respond to COVID-19. Subscribe here to receive our latest insights and podcast episodes straight to your inbox.
----------------------------------------------------------------
This email is confidential and is intended for the addressee only. If you are not the addressee, please delete the email and do not use it in any way.
PricewaterhouseCoopers LLP accepts no liability for any use of or reliance on this email by anyone, other than the intended addressee to the extent agreed in the relevant contract for the matter to which this email relates (if any).
PricewaterhouseCoopers LLP is a limited liability partnership registered in England under registered number OC303525, with its registered address at 1 Embankment Place, London, WC2N 6RH. It is authorised and regulated by the Financial Conduct Authority for designated investment business and by the Solicitors Regulation Authority for regulated legal activities. For security purposes and other lawful business purposes, PwC monitors outgoing and incoming emails and may monitor other telecommunications on its email and telecommunications systems.
----------------------------------------------------------------
Visit our website http://www.pwc.com/uk and see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving direct marketing from us).
----------------------------------------------------------------

-- 
  Spencer Krum



Re: Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)

 

Hi Rajeev,

Can you show the output of several commands for us?

helm list

kubectl get ds -o wide

kubectl get node

kubectl get pod -o wide | grep falco

If you can find a falco pod you can run `kubectl logs <pod>` directly to see if it's generating anything on stdout. And you can create synthetic events as mentioned in that blog post.

Hope this helps!
Spencer

On Mon, Feb 22, 2021, at 10:13 AM, Rajeev wrote:


It is not reporting logs. not sure if i missed any important step.

Could you please point me to any reference document which i can replicate and validate working setup 
or
 throw some pointers like installing as daemon and validating installation.






From: Dan Miles (UK) <daniel.miles@...>
Sent: 22 February 2021 19:54
To: Rajeev <rajeev@...>
Cc: cncf-falco-dev@... <cncf-falco-dev@...>
Subject: Re: [cncf-falco-dev] Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)
 
Hi Rajeev,

The correct pattern here is not a sidecar but a daemonset. 

We do something similar with GKE and ephemeral nodes, a daemonset will ensure that Falco is available across each node as they come up. 

A sidecar really isn’t the pattern here

-Dan


On Mon, 22 Feb 2021 at 13:25, Rajeev <rajeev@...> wrote:

Hi, 

   We are using amazon Elastic Kubernetes Service with no dedicated nodes to deploy our stateless services. Now i want to use Falco for runtime container security. But as EKS spins ephemeral pods on dynamic nodes, i was not able to install Falco. 

Some developers are suggesting to run it as sidecar container in each pod so that it listens from there and logs which can be transferred to Amazon CloudWatch.

Can someone point me to docker image of falco to run as side car container. also share if there are any published resources available to deploy falco into EKS


Thanks,
Rajeev




-------------------- End of message text --------------------
We're working with our industry experts to provide businesses with the information they need to respond to COVID-19. Subscribe here to receive our latest insights and podcast episodes straight to your inbox.
----------------------------------------------------------------
This email is confidential and is intended for the addressee only. If you are not the addressee, please delete the email and do not use it in any way.
PricewaterhouseCoopers LLP accepts no liability for any use of or reliance on this email by anyone, other than the intended addressee to the extent agreed in the relevant contract for the matter to which this email relates (if any).
PricewaterhouseCoopers LLP is a limited liability partnership registered in England under registered number OC303525, with its registered address at 1 Embankment Place, London, WC2N 6RH. It is authorised and regulated by the Financial Conduct Authority for designated investment business and by the Solicitors Regulation Authority for regulated legal activities. For security purposes and other lawful business purposes, PwC monitors outgoing and incoming emails and may monitor other telecommunications on its email and telecommunications systems.
----------------------------------------------------------------
Visit our website http://www.pwc.com/uk and see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving direct marketing from us).
----------------------------------------------------------------

-- 
  Spencer Krum



Re: Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)

Rajeev
 


It is not reporting logs. not sure if i missed any important step.

Could you please point me to any reference document which i can replicate and validate working setup 
or
 throw some pointers like installing as daemon and validating installation.




From: Dan Miles (UK) <daniel.miles@...>
Sent: 22 February 2021 19:54
To: Rajeev <rajeev@...>
Cc: cncf-falco-dev@... <cncf-falco-dev@...>
Subject: Re: [cncf-falco-dev] Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)
 
Hi Rajeev,

The correct pattern here is not a sidecar but a daemonset. 

We do something similar with GKE and ephemeral nodes, a daemonset will ensure that Falco is available across each node as they come up. 

A sidecar really isn’t the pattern here

-Dan


On Mon, 22 Feb 2021 at 13:25, Rajeev <rajeev@...> wrote:

Hi, 

   We are using amazon Elastic Kubernetes Service with no dedicated nodes to deploy our stateless services. Now i want to use Falco for runtime container security. But as EKS spins ephemeral pods on dynamic nodes, i was not able to install Falco. 

Some developers are suggesting to run it as sidecar container in each pod so that it listens from there and logs which can be transferred to Amazon CloudWatch.

Can someone point me to docker image of falco to run as side car container. also share if there are any published resources available to deploy falco into EKS


Thanks,
Rajeev


-------------------- End of message text --------------------
We're working with our industry experts to provide businesses with the information they need to respond to COVID-19. Subscribe here to receive our latest insights and podcast episodes straight to your inbox.
----------------------------------------------------------------
This email is confidential and is intended for the addressee only. If you are not the addressee, please delete the email and do not use it in any way.
PricewaterhouseCoopers LLP accepts no liability for any use of or reliance on this email by anyone, other than the intended addressee to the extent agreed in the relevant contract for the matter to which this email relates (if any).
PricewaterhouseCoopers LLP is a limited liability partnership registered in England under registered number OC303525, with its registered address at 1 Embankment Place, London, WC2N 6RH. It is authorised and regulated by the Financial Conduct Authority for designated investment business and by the Solicitors Regulation Authority for regulated legal activities. For security purposes and other lawful business purposes, PwC monitors outgoing and incoming emails and may monitor other telecommunications on its email and telecommunications systems.
----------------------------------------------------------------
Visit our website http://www.pwc.com/uk and see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving direct marketing from us).
----------------------------------------------------------------


Re: Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)

Dan Miles (UK)
 

Hi Rajeev,

The correct pattern here is not a sidecar but a daemonset. 

We do something similar with GKE and ephemeral nodes, a daemonset will ensure that Falco is available across each node as they come up. 

A sidecar really isn’t the pattern here

-Dan


On Mon, 22 Feb 2021 at 13:25, Rajeev <rajeev@...> wrote:

Hi, 

   We are using amazon Elastic Kubernetes Service with no dedicated nodes to deploy our stateless services. Now i want to use Falco for runtime container security. But as EKS spins ephemeral pods on dynamic nodes, i was not able to install Falco. 

Some developers are suggesting to run it as sidecar container in each pod so that it listens from there and logs which can be transferred to Amazon CloudWatch.

Can someone point me to docker image of falco to run as side car container. also share if there are any published resources available to deploy falco into EKS


Thanks,
Rajeev


-------------------- End of message text --------------------
We're working with our industry experts to provide businesses with the information they need to respond to COVID-19. Subscribe here to receive our latest insights and podcast episodes straight to your inbox.
----------------------------------------------------------------
This email is confidential and is intended for the addressee only. If you are not the addressee, please delete the email and do not use it in any way.
PricewaterhouseCoopers LLP accepts no liability for any use of or reliance on this email by anyone, other than the intended addressee to the extent agreed in the relevant contract for the matter to which this email relates (if any).
PricewaterhouseCoopers LLP is a limited liability partnership registered in England under registered number OC303525, with its registered address at 1 Embankment Place, London, WC2N 6RH. It is authorised and regulated by the Financial Conduct Authority for designated investment business and by the Solicitors Regulation Authority for regulated legal activities. For security purposes and other lawful business purposes, PwC monitors outgoing and incoming emails and may monitor other telecommunications on its email and telecommunications systems.
----------------------------------------------------------------
Visit our website http://www.pwc.com/uk and see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving direct marketing from us).
----------------------------------------------------------------


Run Falco as sidecar container in Amazon Elastic Kubernetes service(EKS)

Rajeev
 


Hi, 

   We are using amazon Elastic Kubernetes Service with no dedicated nodes to deploy our stateless services. Now i want to use Falco for runtime container security. But as EKS spins ephemeral pods on dynamic nodes, i was not able to install Falco. 

Some developers are suggesting to run it as sidecar container in each pod so that it listens from there and logs which can be transferred to Amazon CloudWatch.

Can someone point me to docker image of falco to run as side car container. also share if there are any published resources available to deploy falco into EKS


Thanks,
Rajeev


Falco Community Call - Wed, 02/17/2021 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 17 February 2021, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 02/10/2021 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 10 February 2021, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 02/03/2021 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 3 February 2021, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 01/27/2021 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 27 January 2021, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 01/20/2021 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 20 January 2021, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Re: Donation of libscap, libsinsp, and the drivers source to the Falco community and organization

 

This is great news. A big thanks to you and to Sysdig for making this move.

Spencer 

On Tue, Jan 19, 2021, at 5:18 AM, Leonardo Di Donato wrote:
Hello folks!
 
Sysdig Inc. intends to donate libsinsp, libscap, the kernel module driver, and the eBPF driver sources by moving them to the Falco project.
 
We wrote down the donation plan in this proposal.
 
Those are key parts of the Falco project.
When this proposal gets accepted, they will be under the same governance and community as the rest of the Falco projects.

The source code for those dependencies went through the same security audit that the Falco project went through with Cure53.

All this will be also a topic of discussion in tomorrow's community call.
We, the Falco maintainers, are extremely grateful to Sysdig Inc. for making this decision and support our open community even more.
Bye!
Leo & Lore.
 
P.S.: other Falco maintainers please go check out the proposal, add your own ideas/comments, etc.

-- 
  Spencer Krum



Donation of libscap, libsinsp, and the drivers source to the Falco community and organization

Leonardo Di Donato
 

Hello folks!
 
Sysdig Inc. intends to donate libsinsp, libscap, the kernel module driver, and the eBPF driver sources by moving them to the Falco project.
 
We wrote down the donation plan in this proposal.
 
Those are key parts of the Falco project.
When this proposal gets accepted, they will be under the same governance and community as the rest of the Falco projects.

The source code for those dependencies went through the same security audit that the Falco project went through with Cure53.

All this will be also a topic of discussion in tomorrow's community call.

We, the Falco maintainers, are extremely grateful to Sysdig Inc. for making this decision and support our open community even more.
Bye!
Leo & Lore.
 
P.S.: other Falco maintainers please go check out the proposal, add your own ideas/comments, etc.


Falco Community Call - Wed, 01/13/2021 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 13 January 2021, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 01/06/2021 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 6 January 2021, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 12/30/2020 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 30 December 2020, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 12/23/2020 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 23 December 2020, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Falco Community Call - Wed, 12/16/2020 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 16 December 2020, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject


Re: Falco Website Working Group

Leonardo Di Donato
 

Hello everyone 👋 

Some notes about the first Falco Website/Docs WG.

Participants:
- me
- Lorenzo
- Grasso
- Rajie
- Chris Kranz

So, pull request 324 is in real good shape 🤩 , although it's not ready yet. 

What we'd like to have to merge the PR in:

1. The homepage needs more work
2. Documentation versioning is the TOP feature we still don't have
    - We'd like to publish a website version on Netlify but also on S3
    - On Netlify (to which falco.org points) there will be only the latest version of docs
3. It's still not clear whether we want "end users" and "vendors" logos to be on the homepage or in another sub-page.
    - CNCF guidelines recommend having those 2 sections on the homepage
    - Ideally, we'd like to automate them using the ADOPTERS file in the Falco repository
4. Videos section is missing
    - A proposal was to create a YouTube playlist and embed it
5. Section containing the contributing guidelines generated from the falcosecurity/.github documents
    - The CONTRIBUTING file could be improved
6. Some links that bring people directly to GitHub issues from the Falco website needs to be fixed

Other topics that are future steps (after this PR gets merged in):

- Create a private slack channel containing the participants of the WG
- The GOVERNANCE file needs to be improved
- Development documentation
    - Sadly, the "falco.dev" domain is taken
    - I'm working on the tooling necessary (CMake, Doxygen, CI, etc.) to generate docs from C++ code
    - We'd need the same process for other repositories - e.g., libraries made in Golang

Tasks:

Me, Lorenzo, Leo Grasso, and Rajie have scheduled cycles to work on some of these points.

However, we'd love other people helping us. The next call is on Friday... Hope to see you there, join us to help and know more! 😊 

Cheers,
Leo.


Falco Website Working Group - Fri, 12/11/2020 5:00pm-6:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Website Working Group

When: Friday, 11 December 2020, 5:00pm to 6:00pm, (GMT+01:00) Europe/Amsterdam

Where:https://zoom.us/my/cncffalcoproject

View Event

Description: Hi everyone!

As we agreed on the doodle and on Slack we want to meet this Friday 11th to talk about next development for the Falco website.

Location:


Falco Community Call - Wed, 12/09/2020 4:00pm-5:00pm #cal-reminder

cncf-falco-dev@lists.cncf.io Calendar <cncf-falco-dev@...>
 

Reminder: Falco Community Call

When: Wednesday, 9 December 2020, 4:00pm to 5:00pm, (GMT+00:00) UTC

Where:https://zoom.us/my/cncffalcoproject

View Event

Organizer: CNCF Falco Community cncf-falco-dev@...

Description: Falco Community Calls.
More information: https://github.com/falcosecurity/community
HackMD: https://hackmd.io/6sEAlInlSaGnLz2FnFz21A
Zoom: Join the call: https://zoom.us/my/cncffalcoproject

21 - 40 of 249