Kubernetes Response Engine, Part 2: Falcosidekick + OpenFaas
This blog post is part of a series of articles about how to create a
Kubernetes
response engine withFalco
,Falcosidekick
and aFaaS
.See other posts:
- Kubernetes Response Engine, Part 1 : Falcosidekick + Kubeless
- Kubernetes Response Engine, Part 3 : Falcosidekick + Knative
- Kubernetes Response Engine, Part 4 : Falcosidekick + Tekton
- Kubernetes Response Engine, Part 5 : Falcosidekick + Argo
- Kubernetes Response Engine, Part 6 : Falcosidekick + Cloud Run
- Kubernetes Response Engine, Part 7: Falcosidekick + Cloud Functions
We recently talked about a concept called "Kubernetes Response Engine", and we achieved this by using Falco
Falcosidekick
+Kubeless
. But as you might guess,Falcosidekick
project is evolving day after day, which means new outputs are added. With the release2.22.0
, we are proud to supportOpenFaaS
as a new output for Falcosidekick. This allows us to achieve the same concept, "Kubernetes Response Engine", but this time by using "OpenFaaS" instead of "Kubeless".
In this blog post, we will explain the basic concepts for integrating your own Response Engine into K8S with the
stack Falco
+ Falcosidekick
+ OpenFaaS
.
Prerequisites
We need tools with the following minimum versions to achieve this demo:
- Minikube v1.19.0
- Helm v3.5.3
- kubectl v1.21.0
- arkade v0.7.13
- faas-cli v0.13.9
Provision local Kubernetes Cluster
There are various ways to provision a local Kubernetes cluster such as, KinD, k3s, k0s, Minikube etc. We are going to use Minikube in this walkthrough.
Let's get provisioned a local Kubernetes cluster:
Install OpenFaaS
OpenFaaS can be deployed into a variety of container orchestrators like Kubernetes, OpenShift, Docker Swarm or into a single host with faasd.
Follow the official documentation for deploying OpenFaaS to Kubernetes.
The fastest option is the tool called arkade to deploy OpenFaaS:
Check if everything is working before moving onto the next step:
Now, it is time to deploy our function. The function we are going to deploy basically receives events for an infected
pod from the Falcosidekick and deletes it immediately. Before deploying the function we need some
permissions to delete Pod. We create a ServiceAccount
with right to delete a Pod in any namespace, and we'll associate
it to our function:
Now, we are ready to deploy our falco-pod-delete function, log in into OpenFaaS Gateway first:
Install Falco + Falcosidekick
Firstly, we'll create the namespace that will host both Falco
and Falcosidekick
:
We add the helm
repo:
In a real project, you should get the whole chart with helm pull falcosecurity/falco --untar
and then configure
the values.yaml
. For this tutorial, will try to keep thing as easy as possible and set configs directly
by passing arguments to helm install
command line:
You should get this output:
And you can see your new Falco
and Falcosidekick
pods:
The argument falcosidekick.enabled=true
sets the following settings in Falco for you:
The
arguments --set falco.jsonOutput=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url=http://falco-falcosidekick:2801
are there to configure the format of events and the URL where Falco
will send them. As Falco
and Falcosidekick
will
be in the same namespace, it can directly use the name of the service (falco-falcosidekick
) above Falcosidekick
pods.
We check the logs:
OpenFaaS
is displayed as enabled output, everything is good 👍.
Install our OpenFaaS function
Our really basic function will receive events from Falco
thanks to Falcosidekick
, check if the triggered rule is *
Terminal Shell in container*
, extract the namespace and pod name from the fields of events and delete the according pod:
Basically, the process is:
Let's create the function and deploy it:
$ faas-cli template store pull golang-middleware
Fetch templates from repository: https://github.com/openfaas/golang-http-template at
2021/04/10 21:56:34 Attempting to expand templates from https://github.com/openfaas/golang-http-template
2021/04/10 21:56:35 Fetched 2 template(s) : [golang-http golang-middleware] from https://github.com/openfaas/golang-http-template
$ tree -L 2 .
.
└── template
├── golang-http
└── golang-middleware
# Don't forget to set your docker id in the prefix section, mine is devopps.
$ faas-cli new falco-pod-delete --lang golang-middleware --prefix devopps
faas-cli new falco-pod-delete --lang golang-middleware --prefix devopps
Folder: falco-pod-delete created.
___ _____ ____
/ _ \ _ __ ___ _ __ | ___|_ _ __ _/ ___|
| | | | '_ \ / _ \ '_ \| |_ / _` |/ _` \___ \
| |_| | |_) | __/ | | | _| (_| | (_| |___) |
\___/| .__/ \___|_| |_|_| \__,_|\__,_|____/
|_|
Function created in folder: falco-pod-delete
Stack file written: falco-pod-delete.yml
Notes:
You have created a new function which uses Golang 1.13.
To include third-party dependencies, use Go modules and use
"--build-arg GO111MODULE=on" with faas-cli build or configure this
via your stack.yml file.
See more: https://docs.openfaas.com/cli/templates/
For detailed examples:
https://github.com/openfaas-incubator/golang-http-template
$ tree -L 2 .
.
├── falco-pod-delete
│ └── handler.go
├── falco-pod-delete.yml
└── template
├── golang-http
└── golang-middleware
First, replace the falco-pod-delete.yml with the following content:
Once you have edited it, let's continue with the code, create a go.mod
.
$ cd falco-pod-delete
$ go mod init falco-pod-delete
go: creating new go.mod: module falco-pod-delete
go: to add module requirements and sums:
go mod tidy
Then, replace the handler.go
with the following content:
After that, update your Go Modules by doing go mod tidy
:
Now, you should be able to build, push and deploy your function with faas-cli
:
Check if everything is working before moving to the next step:
Test our function
We start by creating a dumb pod:
Let's run a shell command inside and see what happens:
As expected we got the result of our command, but, if we get the status of the pod we retrieve:
💥 It has been terminated 💥
We can now check the logs of components.
For Falco
:
For Falcosidekick
:
For falco-delete-pod function:
Conclusion
With this really simple example, we only scratched the surface of possibilities, so don't hesitate to share with us on Slack (https://kubernetes.slack.com #falco) your comments, ideas and successes. You're also always welcome to contribute.