Merge pull request #102 from SumoLogic/arun-falco

Added Falco specific changes.
SumoLogic · Aug 9, 2019 · bf3e41b · bf3e41b
2 parents f318df3 + fa372ad
commit bf3e41b
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/deploy/README.md b/deploy/README.md
@@ -319,7 +319,7 @@ spec:
   endpoints:
   - port: web
   ```
-  
+
 Replace the `name` with a name that relates to your service, and a `matchLabels` that would match the pods you want this service monitor to scrape against. By default, prometheus attempts to scrape metrics off of the `/metrics` endpoint, but if you do need to use a different url, you can override it by providing a `path` attribute in the settings like so:
 
 ```
@@ -358,7 +358,7 @@ The `prometheus-overrides.yaml` file controls what metrics get forwarded on to S
 After adding this to the `yaml`, go ahead and run a `helm upgrade prometheus-operator stable/prometheus-operator -f prometheus-overrides.yaml` to upgrade your `prometheus-operator`.
 
 Note: When executing the helm upgrade to avoid the error below is need add the argument `--force`.
-      
+
       invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/name":"kube-state-metrics"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable
 
 If all goes well, you should now have your custom metrics piping into Sumo Logic.
@@ -405,8 +405,50 @@ helm repo update \
    && helm install stable/fluent-bit --name fluent-bit --namespace sumologic -f fluent-bit-overrides.yaml
 ```
 
+## Step 4: Deploy Falco
+
+In this step, you will deploy [Falco](https://falco.org/) to detect anomalous activity and capture Kubernetes Audit Events. This step is required only if you intend to use the Sumo Logic Kubernetes App.
+
+__NOTE__ [Falco](https://sysdig.com/blog/sysdig-falco/) needs privileged container access to insert its kernel module to process events for system calls.
+
+Download the file `falco-overrides.yaml` from GitHub:
+
+```sh
+curl -LJO https://raw.githubusercontent.com/SumoLogic/sumologic-kubernetes-collection/master/deploy/helm/falco-overrides.yaml
+```
+
+Install `falco` using Helm:
+
+```sh
+helm repo update \
+   && helm install stable/falco --name falco --namespace sumologic -f falco-overrides.yaml
+```
+
+__NOTE__ `Google Kubernetes Engine (GKE)` uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS. Because of this security constraint, Falco cannot insert its kernel module to process events for system calls. However, COS provides the ability to leverage eBPF (extended Berkeley Packet Filter) to supply the stream of system calls to the Falco engine. eBPF is currently supported only on GKE and COS. More details [here](https://falco.org/docs/installation/).
+
+To install `Falco` on `GKE`, uncomment following lines in the file `falco-overrides.yaml`:
+
+```
+ebpf:
+  enabled: true
+```
+
+Install `falco` on `GKE` using Helm:
+
+```sh
+helm repo update \
+   && helm install stable/falco --name falco --namespace sumologic -f falco-overrides.yaml
+```
+
+
 ## Tear down
 
+To delete `falco` from the Kubernetes cluster:
+
+```sh
+helm del --purge falco
+```
+
 To delete `fluent-bit` from the Kubernetes cluster:
 
 ```sh

diff --git a/deploy/helm/falco-overrides.yaml b/deploy/helm/falco-overrides.yaml
@@ -0,0 +1,4 @@
+#ebpf:
+#  enabled: true
+falco:
+  jsonOutput: true