Statická analýza a skenování images nestačí. Runtime security detekuje anomálie v běžících kontejnerech a procesech.
Falco¶
Instalace¶
helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco
Custom rules¶
- rule: Crypto mining detected condition: spawned_process and proc.name in (xmrig, minerd) output: “Crypto miner detected (container=%container.name cmd=%proc.cmdline)” priority: CRITICAL
- rule: Sensitive file read condition: open_read and fd.name in (/etc/shadow, /etc/passwd) output: “Sensitive file read (file=%fd.name container=%container.name)” priority: WARNING
Tetragon — eBPF based¶
Instalace¶
helm install tetragon cilium/tetragon -n kube-system
Policy — blokovat nežádoucí syscally¶
apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: block-privileged-syscalls spec: kprobes: - call: __x64_sys_ptrace selectors: - matchActions: - action: Sigkill
Klíčový takeaway¶
Falco pro detekci, Tetragon pro enforcement. Runtime security je poslední obranná linie.
securityruntimefalcokubernetes