ldraney/landscaping-assistant
1
0
Fork 0
Code Issues 32 Pull requests 1 Projects Releases Packages Wiki Activity Actions 4

Deploy Falco for runtime container security monitoring #92

New issue
Open
opened 2026-06-04 12:04:03 +00:00 by ldraney · 0 comments
ldraney commented 2026-06-04 12:04:03 +00:00
Owner
Copy link

Type

Feature

Lineage

Child of ldraney/landscaping-assistant #43 (Observability & DORA metrics stack).
Phase 6b of the observability roadmap (docs/observability-roadmap.md).
Aligns with pal-e-platform Phase 20b (Runtime Security).
Split from #90 (was bundled with SLOs, separated per single-responsibility principle).

Repo

ldraney/pal-e-platform (Helm release + Terraform)

User Story

As a platform operator
I want runtime container security monitoring
So that I can detect anomalous container behavior like unexpected shells, sensitive file access, and outbound connections

Context

Harbor Trivy scans images at rest. Nothing watches runtime behavior. Falco is a CNCF project that monitors syscalls for anomalous container activity. It detects unexpected shells (kubectl exec), sensitive file reads, outbound network connections, and privilege escalation. Alerts route through the existing Alertmanager pipeline to Telegram.

Note: pal-e-platform Phase 20b depends on Phase 19 (Kyverno, NOT STARTED). Falco can be deployed standalone but the full security tier depends on Kyverno being in place. This ticket covers Falco deployment only.

File Targets

Files the agent should modify or create:

  • terraform/modules/monitoring/falco.tf or add to terraform/modules/monitoring/main.tf (pal-e-platform) — Helm release for Falco DaemonSet (chart: falcosecurity/falco)
  • Alertmanager config (pal-e-platform) — add Falco alert routing if needed (check if default falcosidekick -> Alertmanager integration handles this)

Acceptance Criteria

  • Falco DaemonSet running on all nodes
  • Falco detects kubectl exec shell into a pod (test with a non-production pod)
  • Falco alerts route through Alertmanager to Telegram
  • Default Falco rules active (no custom rules needed initially)

Test Expectations

  • tofu plan shows Falco Helm release
  • kubectl get pods -n monitoring shows falco running (DaemonSet, one per node)
  • Trigger test: kubectl exec -it deploy/landscaping-assistant -- /bin/sh generates an alert in Alertmanager

Constraints

  • eBPF mode if kernel supports it (Arch Linux 7.0.7 — should support eBPF), fall back to kernel module
  • Follow existing Terraform pattern in terraform/modules/monitoring/
  • Falco standalone deployment — full security tier (Phase 20b) depends on Kyverno (Phase 19, NOT STARTED)
  • No custom rules initially — use Falco's default ruleset

Checklist

  • PR opened (pal-e-platform)
  • Tests pass
  • No unrelated changes

Related

  • project-landscaping-observability — observability project
  • ldraney/landscaping-assistant #43 — parent observability issue
  • ldraney/landscaping-assistant #90 — Sloth SLOs (split sibling)
### Type Feature ### Lineage Child of `ldraney/landscaping-assistant #43` (Observability & DORA metrics stack). Phase 6b of the observability roadmap (`docs/observability-roadmap.md`). Aligns with pal-e-platform Phase 20b (Runtime Security). Split from #90 (was bundled with SLOs, separated per single-responsibility principle). ### Repo `ldraney/pal-e-platform` (Helm release + Terraform) ### User Story As a platform operator I want runtime container security monitoring So that I can detect anomalous container behavior like unexpected shells, sensitive file access, and outbound connections ### Context Harbor Trivy scans images at rest. Nothing watches runtime behavior. Falco is a CNCF project that monitors syscalls for anomalous container activity. It detects unexpected shells (`kubectl exec`), sensitive file reads, outbound network connections, and privilege escalation. Alerts route through the existing Alertmanager pipeline to Telegram. Note: pal-e-platform Phase 20b depends on Phase 19 (Kyverno, NOT STARTED). Falco can be deployed standalone but the full security tier depends on Kyverno being in place. This ticket covers Falco deployment only. ### File Targets Files the agent should modify or create: - `terraform/modules/monitoring/falco.tf` or add to `terraform/modules/monitoring/main.tf` (pal-e-platform) — Helm release for Falco DaemonSet (chart: `falcosecurity/falco`) - Alertmanager config (pal-e-platform) — add Falco alert routing if needed (check if default falcosidekick -> Alertmanager integration handles this) ### Acceptance Criteria - [ ] Falco DaemonSet running on all nodes - [ ] Falco detects `kubectl exec` shell into a pod (test with a non-production pod) - [ ] Falco alerts route through Alertmanager to Telegram - [ ] Default Falco rules active (no custom rules needed initially) ### Test Expectations - [ ] `tofu plan` shows Falco Helm release - [ ] `kubectl get pods -n monitoring` shows falco running (DaemonSet, one per node) - [ ] Trigger test: `kubectl exec -it deploy/landscaping-assistant -- /bin/sh` generates an alert in Alertmanager ### Constraints - eBPF mode if kernel supports it (Arch Linux 7.0.7 — should support eBPF), fall back to kernel module - Follow existing Terraform pattern in `terraform/modules/monitoring/` - Falco standalone deployment — full security tier (Phase 20b) depends on Kyverno (Phase 19, NOT STARTED) - No custom rules initially — use Falco's default ruleset ### Checklist - [ ] PR opened (pal-e-platform) - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-landscaping-observability` — observability project - `ldraney/landscaping-assistant #43` — parent observability issue - `ldraney/landscaping-assistant #90` — Sloth SLOs (split sibling)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs/update-app-architecture
revert-213
move-other-crew-bottom-remove-schedule
feature/today-view-improvements
154-enable-assume-ssl
revert-145-person-icon
docs/user-stories-auth
docs/update-infra-pipeline-post-incident
fix-cache-step-blocking-deploy
fix-kaniko-registry-pull
deactivate-from-today
feature/quick-address-entry
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/landscaping-assistant#92
No description provided.