Kubernetes Security — Intrusion Detection System(Falco-Logstash)
Introduction:-In current technology trend Kubernetes is widely acceptable solution which harnessing the micro- service orchestration. As it’s demands increasing day by day it is also expected to secure the micro-service environment. Focusing on Kubernetes security, have to go through container security and their runtime.
There are various product which facilitates the feature of IDS (Intrusion detection System) in kubernetes environment.
Scope:-The scope of the document is focused on the below products & environment to achieve goal of implementing IDS in Azure kubernetes .This document will also provide the details steps that is used to implement the solution.
· Falco · Logstash · Azure Kubernetes Service (AKS) · Log-analytics · Sentinel
Product Description:-The below details provides the description of the products in a nutshell
Falco:- Falco the open-source cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco was created by Sysdig in 2016 and is the first runtime security project to join CNCF as an incubation-level project. Falco detects unexpected application behavior and alerts on threats at runtime.
Logstash:-Logstash is a light-weight, open-source, server-side data processing pipeline that allows you to collect data from a variety of sources, transform it on the fly, and send it to your desired destination..In this case Azure Log-analytics is used to store the log.
Log analytics:-Log Analytics is a service that helps to collect and analyze data generated by resources in cloud and on-premises environments.
Sentinel:-Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Solution Architecture:-The below picture provides the architecture of the implemented solution
Falco is implemented as daemon-set and deployed by helm chart with customized values yml ,which ensure that falco pod run on every node (worker) so that it monitors/detects the intrusion based on the rules.Falco is transferring the log through http to logstash
Falco HELM Chart /customized Value.yml:-
Installation of Falco:-
Logstash:- Logstash is installed as statefullset and performing the as a middle man role and collecting the log and transferring the log to log-analytics.The logstash installed via HELM chart the values.yaml can be customized based on the environmental requirement.
To send the log to loganalytics Logstash required
Logstash: values.yaml
The upload plugin injected imaged need to be placed in helm chart values.yml
Customized other values of logstash configuration iside helm chart values.yml:-
Installation of Logstash:-
Verification of implemented Solution:-
Now let us enter in to a pod and check whether the rules are working fine or not.
# kubectl get pod -n appnamespace ( to get the pod in the appnamespace)
#winpty kubectl exec -it myapppod bash -n appnamespace
Entering into the pod as per rule an alert will get generated:-
#kubectl logs -f logstash-0 -n logging ( checking the logs of the logstash container)
Log Analysis:Based on the log it can be seen that a privileged container started and some one entered onto the application POD
“output” => “10:01:57.131417000: Notice Privileged container started (user=<NA> user_loginuid=0 command=container:2f9ee7d74eae k8s.ns=kube-system
The Log is transferred to the Log analytics in a table named AKSTAB
[2020–11–18T10:41:39,148][INFO ][logstash.outputs.azureloganalytics] Successfully posted 1 logs into custom log analytics table[AKSTAB].
Conclusion:-Falco is a great tool to keep a track of all the containers for any suspicious behavior based activities. It triggers the alerts in real time.This solution is feasible for all managed (AKS,GKE,EKS)& unmanaged Kubernetes environment ( OpenShift), the only loganalytics part need to change with cloud specific solution , as Log-analytics is a Azure native product.