Topics

Falco + Chamber in Fargate


david.lladro@...
 

Hi all,
following Kris Nova's advice I'm sharing with you our use case and concerns.
 
Right now, we are using Fargate to deploy our production workloads with an internal PaaS.
To pass secrets to the containers, we are using Chamber ( https://github.com/segmentio/chamber ).
We are overloading the entrypoint with Chamber, who spawns our app with the appropriate secrets in the environment.
 
After knowing Falco's support for userspace, we mimicked Kris Nova's PoC and we liked how Falco instruments inside Fargate.
 
Our concern is that Falco is using the same approach as Chamber, so if we want to deploy Falco in our environment we would have like 2 levels of overload. Falco -> Chamber -> App.
We don't know if this is the best approach or how difficult it would be to troubleshoot problems with this approach.
 
What do you think?
 
Regards


Kris Nova
 

Hey David,

When you say overload you mean building off a pre-existing container image? If it was me I would just bake everything into a base image (Falco and Chamber) and build on that.

We don't have formal support for the userspace components (yet) but if you or anyone else is deeply interested in helping bake this into the pipeline there is an infra working group that would be where I would start. Hope this helps.

On Tue, Oct 6, 2020 at 1:30 AM david.lladro via lists.cncf.io <david.lladro=flywire.com@...> wrote:
Hi all,
following Kris Nova's advice I'm sharing with you our use case and concerns.
 
Right now, we are using Fargate to deploy our production workloads with an internal PaaS.
To pass secrets to the containers, we are using Chamber ( https://github.com/segmentio/chamber ).
We are overloading the entrypoint with Chamber, who spawns our app with the appropriate secrets in the environment.
 
After knowing Falco's support for userspace, we mimicked Kris Nova's PoC and we liked how Falco instruments inside Fargate.
 
Our concern is that Falco is using the same approach as Chamber, so if we want to deploy Falco in our environment we would have like 2 levels of overload. Falco -> Chamber -> App.
We don't know if this is the best approach or how difficult it would be to troubleshoot problems with this approach.
 
What do you think?
 
Regards



--
Kris Nova
Chief Open Source Advocate


85 2nd Street
San Francisco, CA 94105