OS kubectl apply -f dep.yml {… privileged: true…} K8s: Create Privileged Pod login status Cloud: Login without MFA Application: Log4Shell Download request Java Process Class File LDAP
runtime environment • Reduces execution of trusted, privileged code • Don't want to expose the system to risk of any single bug CNCF – Container Runtime
for containers written in Go. • Reduces the host attack surface: – Calls to the host OS(syscall) are controlled by the Sentry – No syscalls are "passed through".
for containers written in Go. • Reduces the host attack surface: – Calls to the host OS(syscall) are controlled by the Sentry – No syscalls are "passed through".
API resource that defines the configuration of the container runtime. – It allows users to select one of a supported list of container runtimes in the cluster.
API resource that defines the configuration of the container runtime. – It allows users to select one of a supported list of container runtimes in the cluster. Control Plane kubelet runc pod pod pod Native Runtime
API resource that defines the configuration of the container runtime. – It allows users to select one of a supported list of container runtimes in the cluster. Control Plane kubelet runc pod pod pod kubelet pod pod pod Native Runtime Sandboxed Runtime
API resource that defines the configuration of the container runtime. – It allows users to select one of a supported list of container runtimes in the cluster. Control Plane kubelet runc pod pod pod kubelet kubelet runc pod pod pod pod pod pod pod Native Runtime Sandboxed Runtime
A shell has been spawned in a container. condition: > spawned_process and container and shell_procs output: > A shell was spawned in a container (user=%user.name user_loginuid=%user.loginuid %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline container_id=%container.id)
A shell has been spawned in a container. condition: > spawned_process and container and shell_procs output: > A shell was spawned in a container (user=%user.name user_loginuid=%user.loginuid %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline container_id=%container.id) - list: shell_binaries items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash] - macro: shell_procs condition: proc.name in (shell_binaries) - macro: container condition: (container.id != host) - macro: spawned_process condition: > evt.type in (execve, execveat) and evt.dir=<
A shell has been spawned in a container. condition: > spawned_process and container and shell_procs output: > A shell was spawned in a container (user=%user.name user_loginuid=%user.loginuid %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline container_id=%container.id) - list: shell_binaries items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash] - macro: shell_procs condition: proc.name in (shell_binaries) - macro: container condition: (container.id != host) - macro: spawned_process condition: > evt.type in (execve, execveat) and evt.dir=<
to start a pod with a privileged container condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) exceptions: - name: image_repos fields: ka.req.pod.containers.image.repository comps: in values: [falco_privileged_images] output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) priority: WARNING source: k8s_audit tags: [k8s] 32 K8s Audit Rule Example K8s audit rules