Static analysis and image scanning are not enough. Runtime security detects anomalies in running containers and processes.
Falco¶
Installation¶
helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco
Custom rules¶
- rule: Crypto mining detected condition: spawned_process and proc.name in (xmrig, minerd) output: “Crypto miner detected (container=%container.name cmd=%proc.cmdline)” priority: CRITICAL
- rule: Sensitive file read condition: open_read and fd.name in (/etc/shadow, /etc/passwd) output: “Sensitive file read (file=%fd.name container=%container.name)” priority: WARNING
Tetragon — eBPF based¶
Installation¶
helm install tetragon cilium/tetragon -n kube-system
Policy — block unwanted syscalls¶
apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: block-privileged-syscalls spec: kprobes: - call: __x64_sys_ptrace selectors: - matchActions: - action: Sigkill
Key Takeaway¶
Falco for detection, Tetragon for enforcement. Runtime security is the last line of defense.
securityruntimefalcokubernetes