Abstracting the attack surface with Falco

 powered by R6 security

By Zsolt NEMETH and Kornel DAVID | Thursday, September 15, 2022

The modern era of computing has ushered in an era of cloud computing, and we've all seen the benefits this has brought to our jobs. We've got access to more resources than ever before, whether those are virtualized instances or containers running on Kubernetes clusters.

But with these new tools comes the need for increased security measures. 

Now, we'll look at how Phoenix Operator can help Falco users to add fully automated mitigation to create a dynamic infrastructure that is both fast and secure. By using Falco and leveraging Phoenix Kubernetes Operator, users will be able to create faster deployments while also reducing - well actually abstracting - attack surface areas.

As a first step you're going to need a dynamic infrastructure. Dynamic infrastructures allow you to rapidly spin up new instances and tear down old ones meaning  hackers will have a harder time finding your infrastructure in the first place. But even if they do find it, you can move targets and can lock them out.

Phoenix - a sidecar for Falco

So we are introducing  Phoenix for Falco which is a sidecar to your existing Falco deployment. This would be configured to use any triggers (findings - either false positive or just positive) and based on these it will reshape your attack surface by killing some pods and creating new ones from an immutable state without disrupting the workload.

The main purpose of this sidecar is to create an invisible connection between Falco and the Phoenix operator. The one-way flow of information is achieved by modifying the affected Pod's annotation whenever a new Falco event occurs.

Getting Started


Have Helm and Kustomize installed

Installing the chart

The following commands will install the latest version of the Falco Helm chart, but with a small twist as the installer uses Kustomize as a Helm post renderer to add our sidecar to the installation.

# first add falco to your local helm repo list and update it

helm repo add falcosecurity

helm repo update

# from the root directory of the falco-phoenix-sidecar repository

cd kustomize

helm install falco-phoenix falcosecurity/falco \

-f values.yaml --post-renderer ./

Edit configuration

To edit the default configuration of the sidecar head into the kustomize directory.

Event list

By default, the annotating process will be triggered only for a limited number of Falco events listed in the config/falco-phoenix-sidecar.conf file. If you want to 'listen' on other events you can add or delete events before you install the chart.

Annotation key

By default, the key of the annotation that is added to the affected Pod is It can be controlled by modifying the ANNOTATION_KEY environment variable's value in patches/daemonset.json

Maximum number of events stored in the Pod's annotations list

By default, the maximum number of events stored in the affected Pod's annotation list is 5. If the limit is reached, the event with the earliest timestamp is removed. It can be controlled by modifying the MAXIMUM_NUMBER_OF_EVENTS environment variable's value in patches/daemonset.json


helm uninstall falco-phoenix

Test functionality

To test the functionality you can easily trigger   Read sensitive file untrusted Falco event by kubectl exec -it <example-pod-name> -- cat /etc/shadow. By reading the sidecar's log you can see as the desired event occurs and being added to the <example-pod-name>'s annotations.

And we have a lot more to offer, learn more about how we can help your work and make your life easier


© 2021-2022 R6 Security Inc.

© 2019 R6Security

Follow us!

Follow us