☸️Kubernetes Runtime Security with Falco Labs

🎯 Objective

Deploy and use Falco to detect suspicious activity and runtime security events inside a Kubernetes cluster.

---

🧰 Prerequisites

• Kubernetes cluster

• kubectl configured

• Helm installed

---

🔹 Lab 1: Install Falco using Helm

Add the Falco Helm repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Install Falco:

helm install --replace falco --namespace falco --create-namespace --set tty=true falcosecurity/falco

✅ Falco daemonset is deployed to monitor syscalls on all cluster nodes.

---

🔹 Lab 2: Check Falco is Running

kubectl get pods -n falco
kubectl logs -n falco -l app=falco

✅ Falco should be logging system call events.

---

🔹 Lab 3: Trigger Suspicious Activities

Step 1: Create a Pod to Simulate an Attacker

kubectl create deployment nginx --image=nginx

---

Step 2: Touch a Sensitive File

kubectl exec -it $(kubectl get pods --selector=app=nginx -o name) -- cat /etc/shadow

✅ Expected: Falco alerts on sensitive file access.

---

Step 3: Start a Shell Inside a Container (Unexpected Shell)

kubectl exec -it $(kubectl get pods --selector=app=nginx -o name) -- bash

✅ Expected: Falco may alert on a shell being spawned in a container.

---

Step 4: Make a Network Connection from Pod

Inside the pod:

apt install wget
wget http://example.com

✅ Expected: Falco alerts on wget.

---

🔹 Lab 4: View Falco Alerts

Check Falco logs:

kubectl logs -l app.kubernetes.io/name=falco -n falco -c falco

✅ You should see alerts for file access, shell execution or network activity.

---

🔹 Lab 5: Clean Up

kubectl delete deployment nginx
helm uninstall falco

---

✅ Wrap-Up

• ✅ Installed Falco with Helm

• ✅ Triggered multiple runtime security events

• ✅ Detected suspicious activity like file tampering, shell spawning, network access, and privilege escalation

• ✅ Practiced real-world runtime threat detection

---