Securing a K3s Cluster

This guide provides instructions to secure a K3s cluster using Falco, an open-source cloud-native runtime security project.

Published on Dec 12, 2020

Reading time: 2 minutes.

Published on

Securing a K3s Cluster

Container security is the process of implementing security tools and policies to protect the container, its application, and performance, including infrastructure, software supply chain, system tools, system libraries, and runtime against security threats.

Runtime security is a critical piece in a cloud-native security story. Access control and policy enforcement are important prevention techniques, but runtime security is needed to detect threats that evade preventions. ~Kris Nova, chief open source advocate at Sysdig.

Falco, is an open-source cloud-native runtime security project. Falco was created by Sysdig in 2016 and is the first runtime security project to join CNCF as an incubation-level project. Falco detects unexpected application behavior and alerts on threats at runtime. With Falco, you can create detection rules to define unexpected application behavior. These rules can be enriched by context from the cloud provider and Kubernetes environments.

Before you begin:

  • Create a K3s cluster and ensure that you are able to access it. For more information about how to create a K3s cluster, see deploying a K3s cluster. You can also create a Managed K3s cluster using Civo Cloud, the world’s first k3s-powered, managed Kubernetes service. With a managed service, you’ll have a K3s cluster ready in just a few clicks.
  • Ensure that you are able to access the cluster from outside the cluster.
    • To manage K3s from outside the cluster, copy the contents of /etc/rancher/k3s/k3s.yaml from your K3s to ~/.kube/config on an external machine where you have installed kubectl, replacing with the IP address of your Server.
    • To manage a Civo K3s cluster, download the civo kubeconfig file and set the path for KUBECONFIG. For example, export KUBECONFIG=~/Downloads/civo-falco-kubeconfig
  • Ensure that you have installed Helm on an external machine from where you want to manage Kubernetes applications.

Installing Falco:

  1. Create a falco namespace: kubectl create ns falco

  2. Add Falco to the helm repo:

    helm repo add falcosecurity
    helm repo update
    helm install falco falcosecurity/falco
  3. Install Falco: helm install falco falco/falcosecurity

    Output similar to the following appears:

  LAST DEPLOYED: Tue Dec 1 16:56:49 2020
  NAMESPACE: falco
  STATUS: deployed
  Falco agents are spinning up on each node in your cluster. After a few
  seconds, they are going to start monitoring your containers looking for
  security issues.
  No further action should be required.
  1. Check the pods that are running on the cluster using kubectl get pods.

    Output similar to the following appears:

falco-s6pn9  1/1    Running     0       75s
falco-52zqb  1/1    Running     0       75s
falco-rd46z  1/1    Running     0       75s
  1. Simulate a scenario by trying to ssh as a root user on a node in the cluster, and check the logs using kubectl logs <pod name>

    Output similar to the following appears:

 Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=falco-s6pn9
 container=8873adbbf043 shell=bash parent=runc cmdline=bash terminal=34816 container_id=8873adbbf043 image=<NA>) k8s.ns=default k8s.pod=falco-s6pn9 container=8873adbbf043

Using Falco, you can detect policy violations using community-sourced detections of malicious activity and CVE exploits. You can then alert by plugging Falco into your current security response workflows and processes.