Skip to content

Instantly share code, notes, and snippets.

View Issif's full-sized avatar
💭
Open To Work

Thomas Labarussias Issif

💭
Open To Work
152 followers · 105 following
View GitHub Profile
@Issif
Issif / main.go
Last active December 19, 2023 13:45
Send fake Falco events to Falcosidekick
package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"log"
"math/rand"
"net/http"
@Issif
Issif / bootstrap-talon.sh
Created January 21, 2022 23:14
#!/bin/bash
# Create custom-rules.yaml
cat <<EOF > custom-rules.yaml
falco:
rulesFile:
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/rules.d/custom-rules.yaml
customRules:
custom-rules.yaml: |-
@Issif
Issif / ignite_autok3s.sh
Last active March 17, 2022 14:28
ignite_autok3s.sh
#!/bin/bash
mkdir -p $HOME/.autok3s
sudo ignite run weaveworks/ignite-ubuntu --kernel-image=weaveworks/ignite-kernel:5.14.16 --name k3s-master --cpus 1 --memory=1GB --size=5GB --ssh=$HOME/.ssh/id_rsa.pub
sudo ignite run weaveworks/ignite-ubuntu --kernel-image=weaveworks/ignite-kernel:5.14.16 --name k3s-worker1 --cpus 1 --memory=2GB --size=5GB --ssh=$HOME/.ssh/id_rsa.pub
sudo ignite run weaveworks/ignite-ubuntu --kernel-image=weaveworks/ignite-kernel:5.14.16 --name k3s-worker2 --cpus 1 --memory=2GB --size=5GB --ssh=$HOME/.ssh/id_rsa.pub
export K3S_MASTER_IP=$(sudo ignite inspect vm k3s-master -t {{.Status.Network.IPAddresses}})
export K3S_WORKER1_IP=$(sudo ignite inspect vm k3s-worker1 -t {{.Status.Network.IPAddresses}})
@Issif
Issif / plugin_registry.yaml
Last active February 10, 2023 16:57
reserved_sources: ["syscall", "internal", "plugins"]
plugins:
- name: k8saudit
description: Read Kubernetes Audit Events and monitor Kubernetes Clusters
authors: The Falco Authors
contact: https://falco.org/community
maintainers:
- name: The Falco Authors
email: [email protected]
keywords:
@Issif
Issif / gist:622499c5e990d64eec463bbc89f82a58
Created June 15, 2023 12:02
customRules:
override-k8saudit.yaml: |-
- list: allowed_k8s_users
append: true
items: [eks:cloud-controller-manager, eks:vpc-resource-controller, eks:az-poller]
- macro: live_endpoint
append: true
condition: or ka.uri="/readyz?exclude=kms-provider-0" or ka.uri="/livez?exclude=kms-provider-0"
falco:
@Issif
Issif / finops-en.md
Created June 15, 2023 13:01

author: "Issif" date: 2021-06-17T12:00:00+02:00 title: "FinOps" description: "What I learned from my FinOps experience" categories: ["cloud", "finops"]

featured: "falcosidekick-feature.png"

featuredalt: "falcosidekick feature"

@Issif
Issif / procedure.md
Last active October 16, 2023 14:38
Monitor audit-logs with Falco in a Kind cluster
  • Create the audit-policy.yaml.
cat << EOF > audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
@Issif
Issif / main.go
Last active February 26, 2024 14:01
package main
import (
"fmt"
"log"
"sync"
"time"
"github.com/nats-io/nats.go"
@Issif
Issif / multitenant_falcosidekick_ui.md
Last active March 31, 2024 20:44

Cluster A - Falco + Falcosidekick

helm install falco falcosecurity/falco -n falco \
--set falcosidekick.enabled=true \
--set falcosidekick.customfields="cluster.name:A" \
--set falcosidekick.config.webhook.address="http://<falcosidekick.cluster-c>" \
--create-namespace

Cluster B - Falco + Falcosidekick

@Issif
Issif / install_falco_and_co.md
Last active April 8, 2024 14:47
Install Falco + Falcosidekick + UI + Talon
  • Install Falco Talon
git clone https://github.com/falco-talon/falco-talon.git``
cd falco-talon/deployment/helm
cat <<EOF > rules.yaml
- action: Terminate Pod
  actionner: kubernetes:terminate