Falco in Kubernetes with Alertmanager notifications

tjtharrison
5 min readOct 21, 2023

If you’ve been following my articles, I have recently set up a homelab of 3 Kubernetes nodes while training for my CKA/CKS certifications (Setting up homelab 3.0, Installing a bare-metal Kubernetes cluster with Ansible).

Now that my cluster is running I’ve been focussing on the security aspect of managing a Kubernetes cluster and have been using a tool called Falco.

Falco is a great tool for security observability in linux systems and has amazing integrations with Kubernetes and an extremely simple setup process.

We are going to be extending the default Falco installation to send alerts for malicious activity within the cluster to Alertmanager so these can be routed as appropriate.

Prerequisites

  • Kubernetes Cluster
  • Helm client installed
  • An Alertmanager instance to handle the notifications
Photo by James Padolsey on Unsplash

Preparing the Falco chart

When I am using third party libraries, I like to install them as a dependency for a repository that I maintain — This allows me to include other resources that I manage (or other third party helm charts) inside the same Helm installation on the cluster.

--

--