Runtime threat detection can be an important component of a secure Kubernetes environment. Falco is a powerful tool in detecting anomalous activity as it occurs. In this lab, you will practice your skills with behavioral analysis in Kubernetes by checking for threats in a real cluster using Falco.
Successfully complete this lab by achieving the following learning objectives:
- Create a Falco Rules File Configured to Scan the Container
The container in question is running inside a Pod called
defaultnamespace. The container is also called
nginx. For this exercise, you can assume that the container name is unique in the cluster.
Create a Falco rules file at
/home/cloud_user/nginx-rules.ymlwith a rule to report any newly-spawned processes in this container.
The rule’s output should include the following:
- process name
- container ID
- container name
- container image name
- Run Falco to Obtain a Report of the Activity and Save It to a File
Falco is already installed on the worker node. Using your rules file, run Falco for 45 seconds or so to obtain a report of the container’s activity.
Save the report to