Giant Swarm offers a falco App which can be installed in workload clusters. Here we define the falco chart with its templates and default configuration.
Falco is a host-based intrusion detection system which watches and checks Linux syscalls against a predefined list of rules. Anomalous activity (as defined by the rules) triggers a Falco event, which can be used to alert responders or take automated remediation actions.
There are several ways to install this app onto a workload cluster.
- Using our web interface
- By creating an App resource in the management cluster as explained in Getting started with App Platform.
Note: There are currently known compatibility issues when using the Falco kernel module with Flatcar kernel version 5.10.77-flatcar and later. The ebpf driver must be used instead (see the sample user-values-configmap.yaml below).
This is an example of a values file you could upload using our web interface.
# values.yaml
global:
registry: quay.io
falco:
podSecurityPolicy:
create: true
falco:
grpc:
enabled: true
grpcOutput:
enabled: true
customRules:
{}
# Example:
#
# rules-traefik.yaml: |-
# [ rule body ]
falco-exporter:
podSecurityPolicy:
create: true
falcosidekick:
Please see the below page for configurable values. Falco Configuration
Please see the below page for configurable values. Falco Exporter Configuration
Please see the below page for configurable values. Falco sidekick Configuration
If you have access to the Kubernetes API on the management cluster, you could create the App CR and ConfigMap directly.
You can provide additional configuration via a ConfigMap or the web interface.
# user-values-configmap.yaml
# To use the ebpf driver instead of the Falco kernel module:
falco:
ebpf:
enabled: "true"
See our full reference page on how to configure applications for more details.