Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubernetes response engine #389

Merged
merged 13 commits into from
Jul 12, 2018
Merged

Kubernetes response engine #389

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
893554e
Add README for the kubernetes response engine
Jul 10, 2018
26ca866
Add nats output for Falco
Jul 10, 2018
526f32b
Add a README for falco-nats output
Jul 10, 2018
4867c47
Upload playbooks code
nestorsalceda Jul 10, 2018
66ba09e
Add a README for playbooks
nestorsalceda Jul 10, 2018
19d251e
Update README.md
bencer Jul 10, 2018
8b82a08
Add Kubernetes manifests for deploying Nats + Falco + Kubeless
Jul 10, 2018
4228568
Add a README for Kubernetes infrastructure
Jul 10, 2018
4640551
Update link target
Jul 10, 2018
9543514
Update README.md
bencer Jul 10, 2018
bebdff3
This rule does not add any value to the integration
Jul 11, 2018
3afe046
Move kubernetes_response_engine under integrations
Jul 11, 2018
bed3604
Remove repeated configurations and other stuff
Jul 11, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions integrations/kubernetes-response-engine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Kubernetes Response Engine for Sysdig Falco

A response engine for Falco that allows to process security events executing playbooks to respond to security threats.

## Architecture

* *[Falco](https://sysdig.com/opensource/falco/)* monitors containers and processes to alert on unexpected behavior. This is defined through the runtime policy built from multiple rules that define what the system should and shouldn't do.
* *falco-nats* forwards the alert to a message broker service into a topic compound by `falco.<severity>.<rule_name_slugified>`.
* *[NATS](https://nats.io/)*, our message broker, delivers the alert to any subscribers to the different topics.
* *[Kubeless](https://kubeless.io/)*, a FaaS framework that runs in Kubernetes, receives the security events and executes the configured playbooks.

## Glossary

* *Security event*: Alert sent by Falco when a configured rule matches the behaviour on that host.
* *Playbook*: Each piece code executed when an alert is received to respond to that threat in an automated way, some examples include:
- sending an alert to Slack
- stop the pod killing the container
- taint the specific node where the pod is running
9 changes: 9 additions & 0 deletions integrations/kubernetes-response-engine/deployment/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
deploy:
kubectl apply -f nats/
kubectl apply -f kubeless/
kubectl apply -f network-policy.yaml

clean:
kubectl delete -f kubeless/
kubectl delete -f nats/
kubectl delete -f network-policy.yaml
20 changes: 20 additions & 0 deletions integrations/kubernetes-response-engine/deployment/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Kubernetes Manifests for Kubernetes Response Engine

In this directory are the manifests for creating required infrastructure in the
Kubernetes cluster

## Deploy

For deploying NATS, Falco + Falco-NATS output and Kubeless just run default Makefile target:

```
make
```

## Clean

You can clean your cluster with:

```
make clean
```
5 changes: 5 additions & 0 deletions integrations/kubernetes-response-engine/deployment/kubeless/kubeless-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: kubeless
Loading