-
Notifications
You must be signed in to change notification settings - Fork 912
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #389 from nestorsalceda/kubernetes-response-engine
Add Kubernetes response engine
- Loading branch information
Showing
33 changed files
with
1,947 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Kubernetes Response Engine for Sysdig Falco | ||
|
|
||
| A response engine for Falco that allows to process security events executing playbooks to respond to security threats. | ||
|
|
||
| ## Architecture | ||
|
|
||
| * *[Falco](https://sysdig.com/opensource/falco/)* monitors containers and processes to alert on unexpected behavior. This is defined through the runtime policy built from multiple rules that define what the system should and shouldn't do. | ||
| * *falco-nats* forwards the alert to a message broker service into a topic compound by `falco.<severity>.<rule_name_slugified>`. | ||
| * *[NATS](https://nats.io/)*, our message broker, delivers the alert to any subscribers to the different topics. | ||
| * *[Kubeless](https://kubeless.io/)*, a FaaS framework that runs in Kubernetes, receives the security events and executes the configured playbooks. | ||
|
|
||
| ## Glossary | ||
|
|
||
| * *Security event*: Alert sent by Falco when a configured rule matches the behaviour on that host. | ||
| * *Playbook*: Each piece code executed when an alert is received to respond to that threat in an automated way, some examples include: | ||
| - sending an alert to Slack | ||
| - stop the pod killing the container | ||
| - taint the specific node where the pod is running |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| deploy: | ||
| kubectl apply -f nats/ | ||
| kubectl apply -f kubeless/ | ||
| kubectl apply -f network-policy.yaml | ||
|
|
||
| clean: | ||
| kubectl delete -f kubeless/ | ||
| kubectl delete -f nats/ | ||
| kubectl delete -f network-policy.yaml |
20 changes: 20 additions & 0 deletions
20
integrations/kubernetes-response-engine/deployment/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Kubernetes Manifests for Kubernetes Response Engine | ||
|
|
||
| In this directory are the manifests for creating required infrastructure in the | ||
| Kubernetes cluster | ||
|
|
||
| ## Deploy | ||
|
|
||
| For deploying NATS, Falco + Falco-NATS output and Kubeless just run default Makefile target: | ||
|
|
||
| ``` | ||
| make | ||
| ``` | ||
|
|
||
| ## Clean | ||
|
|
||
| You can clean your cluster with: | ||
|
|
||
| ``` | ||
| make clean | ||
| ``` |
5 changes: 5 additions & 0 deletions
5
integrations/kubernetes-response-engine/deployment/kubeless/kubeless-namespace.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: kubeless |
Oops, something went wrong.