Falco in Kubernetes with Alertmanager notifications
If you’ve been following my articles, I have recently set up a homelab of 3 Kubernetes nodes while training for my CKA/CKS certifications (Setting up homelab 3.0, Installing a bare-metal Kubernetes cluster with Ansible).
Now that my cluster is running I’ve been focussing on the security aspect of managing a Kubernetes cluster and have been using a tool called Falco.
Falco is a great tool for security observability in linux systems and has amazing integrations with Kubernetes and an extremely simple setup process.
We are going to be extending the default Falco installation to send alerts for malicious activity within the cluster to Alertmanager so these can be routed as appropriate.
Prerequisites
- Kubernetes Cluster
- Helm client installed
- An Alertmanager instance to handle the notifications
Preparing the Falco chart
When I am using third party libraries, I like to install them as a dependency for a repository that I maintain — This allows me to include other resources that I manage (or other third party helm charts) inside the same Helm installation on the cluster.