Adding Falco exceptions in Kubernetes

In a previous article, I covered the process for installing Falco in Kubernetes using Helm (Falco in Kubernetes with Alertmanager notifications).

Now that I have been running Falco for a few weeks, I have found a few recurring cases where I want to make some customisations/exceptions to the out of the box rules provided by Falco.

Photo by Joshua J. Cotten on Unsplash

For example, on a daily bases — My Pihole deployment runs a few commands to print the current version / branch / commit of the running version.

It runs 3 commands in turn:

pihole-FTL version
pihole-FTL branch
pihole-FTL --hash

If this were from an internal application rather than a third party tool, it would be time to have a chat with the development team to understand why this tool can’t run as an ephemeral job rather than within the main deployment..

As this is a third party tool — We’ll create an exception so it will not notify for these particular commands being run from this deployment.

This does not indicate a security concern, so, to reduce alert fatigue (see an article I wrote here on writing good security alerts) — We should…