Falco in Kubernetes with Alertmanager notifications

tjtharrison
5 min readOct 21, 2023

If you’ve been following my articles, I have recently set up a homelab of 3 Kubernetes nodes while training for my CKA/CKS certifications (Setting up homelab 3.0, Installing a bare-metal Kubernetes cluster with Ansible).

Now that my cluster is running I’ve been focussing on the security aspect of managing a Kubernetes cluster and have been using a tool called Falco.

Falco is a great tool for security observability in linux systems and has amazing integrations with Kubernetes and an extremely simple setup process.

We are going to be extending the default Falco installation to send alerts for malicious activity within the cluster to Alertmanager so these can be routed as appropriate.

Prerequisites

  • Kubernetes Cluster
  • Helm client installed
  • An Alertmanager instance to handle the notifications
Photo by James Padolsey on Unsplash

Preparing the Falco chart

When I am using third party libraries, I like to install them as a dependency for a repository that I maintain — This allows me to include other resources that I manage (or other third party helm charts) inside the same Helm installation on the cluster.

To do this, we’ll create a Chart.yaml file in a new repository with the below contents.

apiVersion: v2
name: falco
description: A helm chart to deploy Falco into Kubernetes
type: application
version: 1.0.0
appVersion: 1.0.0
dependencies:
- name: falco
version: 3.7.1
repository: https://falcosecurity.github.io/charts

Now, we’ll want to set some overrides to the default Falco chart settings we’re using as a dependency. To do that, we’ll create a new values.yaml file in the same directory with the following contents:

falco:
namespaceOverride: falco
falcosidekick:
enabled: true

Optional Web UI:

If you would like to immediately see events detected by Falco without having to read the stdout logs from the pods, Falco includes an optional Web UI which can be enabled in the helm chart values as follows:

falco:
namespaceOverride: falco
falcosidekick…

--

--