Inject Falco and pdig into a running kubernetes pod.
This repo exists to show the concept that Falco + pdig can be injected into running pods without requiring to modify the original image.
Warning: I'm doing expriments here, don't take this seriously.
In order to inject, you need a rootfs containing Falco, its dependencies and pdig.
Since this is a proof of concept now, I created one from scratch and uploaded
it to one of my buckets. It basically contains the Falco pieces bundled in
the docker image krisnova/falco-trace:latest
.
In case you want to create your own rootfs tar, in order for this to work
you need the falco
binary and the pdig
binary.
So you need to download the file rootfs.tar
and then run falco-inject
that will inject the content of rootfs.tar
file from the current working directory
into the specified pod with a label selector.
curl -O https://fs.fntlnz.wtf/falco/rootfs.tar
./falco-inject --selector "run=unsecure-falco-example" --namespace default
kubectl run unsecure-falco-example --image nginx
curl -O https://fs.fntlnz.wtf/falco/rootfs.tar
go build .
./falco-inject --selector "run=unsecure-falco-example" --namespace default
Q. How does this connect to kubernetes?
A. It uses your main kubeconfig file, if you expose the KUBECONFIG
environment variable, it uses that one
Q. Can I use this in production?
A. Remember that discussion we had about trusting my 1-day-old repositories? USE IT