跳至主要內容

falco-报错

𝒊𝒄𝒖𝒓𝒗𝒆𝒔𝒕𝒂𝒓原创大约 3 分钟KubernetesKubernetesfalco

部署

# helm -n falco install falco ./falco-3.8.7-change.tgz --set falco.jsonOutput=true --set falco.json_output=true --set falco.http_output.enabled=true --set falco.http_output.url=http://falco-falcosidekick:2801/ --set falcosidekick.enabled=true --set falcoctl.artifact.install.enabled=false --set falcoctl.artifact.follow.enabled=false
NAME: falco
LAST DEPLOYED: Tue Jul  2 10:34:36 2024
NAMESPACE: falco
STATUS: deployed
REVISION: 1
NOTES:
Falco agents are spinning up on each node in your cluster. After a few
seconds, they are going to start monitoring your containers looking for
security issues.


No further action should be required.
helm -n falco install falco ./falco-4.5.2-change.tgz --set falco.jsonOutput=true --set falco.json_output=true --set falco.http_output.enabled=true --set falco.http_output.url=http://falco-falcosidekick:2801/ --set driver.kind=kmod --set falcosidekick.enabled=true --set falcoctl.artifact.install.enabled=false --set falcoctl.artifact.follow.enabled=false
# kubectl -n falco get pod
NAME                                   READY   STATUS                 RESTARTS   AGE
falco-58mk9                            0/1     CreateContainerError   0          43s
falco-falcosidekick-85c7f8577c-2p5xh   1/1     Running                0          43s
falco-hk462                            0/1     CreateContainerError   0          43s
falco-phm9z                            0/1     CreateContainerError   0          43s
falco-rg4kg                            0/1     CreateContainerError   0          43s

https://developer.aliyun.com/article/1113086

# kubectl -n falco describe pod falco-fwcjm
Events:
  Type     Reason                  Age                   From               Message
  ----     ------                  ----                  ----               -------
  Normal   Pulling                 82m                   kubelet            Pulling image "easzlab.io.local:5000/falcosecurity/falco-no-driver:0.36.2"
  Normal   Pulled                  82m                   kubelet            Successfully pulled image "easzlab.io.local:5000/falcosecurity/falco-no-driver:0.36.2" in 12.987600628s (12.987614033s including waiting)
  Warning  Failed                  82m                   kubelet            Error: failed to generate container "442b9131943e1145aa83e103ce5eeead0c1f206839e9524eb3f7215a95c0c873" spec: failed to generate spec: failed to mkdir "/sys/module/falco": mkdir /sys/module/falco: operation not permitted
  Warning  Failed                  82m                   kubelet            Error: failed to generate container "166bbad093873361a609348c1778d23fd68340b43d146010cca5a5060c43c910" spec: failed to generate spec: failed to mkdir "/sys/module/falco": mkdir /sys/module/falco: operation not permitted
# kubectl -n falco edit daemonsets.apps falco
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: falco
  namespace: falco
spec:
  revisionHistoryLimit: 10
  template:
      name: falco
    spec:
      containers:   
        image: easzlab.io.local:5000/falcosecurity/falco-no-driver:0.36.2
        imagePullPolicy: IfNotPresent    
        securityContext:
          privileged: true
   capabilities:
     add:
       - BPF
       - SYS_RESOURCE
       - PERFMON
       - SYS_PTRACE
          privileged: true
          procMount: Default
          runAsUser: 0

https://github.com/falcosecurity/falco/pull/2238

https://github.com/Adminisme/Blog/blob/master/2020/%E5%A6%82%E4%BD%95%E4%BD%BF%E7%94%A8helm%E9%83%A8%E7%BD%B2falco.md

1. 如何使用helm部署falco
1.1. 部署
使用helm部署falco,推荐把日志格式化成json,这样日志信息会比较详细

# helm install stable/falco --name falco -f custom_rules.yaml  --set ebpf.enabled=true,falco.jsonOutput=true,image.tag=0.23.0 
从集群删除

# helm delete --purge falco
出现CrashLoopBackOff可能是内核不匹配



检查日志进一步确认是不是内核问题



升级目标节点内核后重启,问题解决

yum install kernel
yum -y install kernel-devel-$(uname -r)


1.2. 使用自定义规则
# kubectl -n falco logs falco-wt7zm -c falco
Tue Jul  2 03:27:06 2024: Falco version: 0.36.2 (x86_64)
Tue Jul  2 03:27:06 2024: Falco initialized with configuration file: /etc/falco/falco.yaml
Tue Jul  2 03:27:06 2024: Loading rules from file /etc/falco/falco_rules.yaml
Tue Jul  2 03:27:06 2024: Loading rules from file /etc/falco/falco_rules.local.yaml
Tue Jul  2 03:27:07 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Tue Jul  2 03:27:07 2024: Starting health webserver with threadiness 2, listening on port 8765
Tue Jul  2 03:27:07 2024: Loaded event sources: syscall
Tue Jul  2 03:27:07 2024: Enabled event sources: syscall
Tue Jul  2 03:27:07 2024: Opening 'syscall' source with Kernel module
Tue Jul  2 03:27:07 2024: Trying to inject the Kernel module and opening the capture again...
Tue Jul  2 03:27:07 2024: Unable to load the driver
Tue Jul  2 03:27:07 2024: An error occurred in an event source, forcing termination...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded: No such file or directory

部署较新版本