Falco can be installed in various ways, including directly on Linux hosts by deploying Falco as a DaemonSet or by using Helm. This recipe will show you how to install Falco as a DaemonSet.
Let's perform the following steps to get Falco deployed on our cluster:
- Clone the Falco repository into your current working directory:
$ git clone https://github.com/falcosecurity/falco.git
$ cd falco/integrations/k8s-using-daemonset/k8s-with-rbac
- Create a Service Account for Falco. The following command will also create the ClusterRole and ClusterRoleBinding for it:
$ kubectl create -f falco-account.yaml
- Create a service using the following command from the cloned repository location:
$ kubectl create -f falco-service.yaml
- Create a config directory and copy the deployment configuration file and rule files in the config directory. We will need to edit these later:
$ mkdir config
$ cp ../../../falco.yaml config/
$ cp ../../../rules/falco_rules.* config/
$ cp ../../../rules/k8s_audit_rules.yaml config/
- Create a ConfigMap using the config files in the config/ directory. Later, the DaemonSet will make the configuration available to Falco pods using the ConfigMap:
$ kubectl create configmap falco-config --from-file=config
- Finally, deploy Falco using the following command:
$ kubectl create -f falco-daemonset-configmap.yaml
- Verify that the DaemonSet pods have been successfully created. You should see one pod per schedulable worker node on the cluster. In our example, we used a Kubernetes cluster with four worker nodes:
$ kubectl get pods | grep falco-daemonset
falco-daemonset-94p8w 1/1 Running 0 2m34s
falco-daemonset-c49v5 1/1 Running 0 2m34s
falco-daemonset-htrxw 1/1 Running 0 2m34s
falco-daemonset-kwms5 1/1 Running 0 2m34s
With that, Falco has been deployed and started monitoring behavioral activity to detect anomalous activities in our applications on our nodes.