powered by R6 security
By Zsolt NEMETH and Kornel DAVID | Thursday, September 15, 2022
The modern era of computing has ushered in an era of cloud computing, and we've all seen the benefits this has brought to our jobs. We've got access to more resources than ever before, whether those are virtualized instances or containers running on Kubernetes clusters.
But with these new tools comes the need for increased security measures.
Now, we'll look at how Phoenix Operator can help Falco users to add fully automated mitigation to create a dynamic infrastructure that is both fast and secure. By using Falco and leveraging Phoenix Kubernetes Operator, users will be able to create faster deployments while also reducing - well actually abstracting - attack surface areas.
As a first step you're going to need a dynamic infrastructure. Dynamic infrastructures allow you to rapidly spin up new instances and tear down old ones meaning hackers will have a harder time finding your infrastructure in the first place. But even if they do find it, you can move targets and can lock them out.
So we are introducing Phoenix for Falco which is a sidecar to your existing Falco deployment. This would be configured to use any triggers (findings - either false positive or just positive) and based on these it will reshape your attack surface by killing some pods and creating new ones from an immutable state without disrupting the workload.
The main purpose of this sidecar is to create an invisible connection between Falco and the Phoenix operator. The one-way flow of information is achieved by modifying the affected Pod's annotation whenever a new Falco event occurs.
Have Helm and Kustomize installed
The following commands will install the latest version of the Falco Helm chart, but with a small twist as the installer uses Kustomize as a Helm post renderer to add our sidecar to the installation.
# first add falco to your local helm repo list and update it
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
# from the root directory of the falco-phoenix-sidecar repository
helm install falco-phoenix falcosecurity/falco \
-f values.yaml --post-renderer ./kustomize-wrapper.sh
To edit the default configuration of the sidecar head into the kustomize directory.
By default, the annotating process will be triggered only for a limited number of Falco events listed in the config/falco-phoenix-sidecar.conf file. If you want to 'listen' on other events you can add or delete events before you install the chart.
By default, the key of the annotation that is added to the affected Pod is phoenix.r6security.com/falcoevent. It can be controlled by modifying the ANNOTATION_KEY environment variable's value in patches/daemonset.json
By default, the maximum number of events stored in the affected Pod's annotation list is 5. If the limit is reached, the event with the earliest timestamp is removed. It can be controlled by modifying the MAXIMUM_NUMBER_OF_EVENTS environment variable's value in patches/daemonset.json
helm uninstall falco-phoenix
To test the functionality you can easily trigger Read sensitive file untrusted Falco event by kubectl exec -it <example-pod-name> -- cat /etc/shadow. By reading the sidecar's log you can see as the desired event occurs and being added to the <example-pod-name>'s annotations.
And we have a lot more to offer, learn more about how we can help your work and make your life easier https://r6security.com/