🛡️ Falco on EKS: Real-Time Kubernetes Threat Detection in Action
👋 Welcome to my Hashnode profile! I'm a passionate technologist with expertise in AWS, DevOps, Kubernetes, Terraform, Datree, and various cloud technologies. Here's a glimpse into what I bring to the table: 🌟 Cloud Aficionado: I thrive in the world of cloud technologies, particularly AWS. From architecting scalable infrastructure to optimizing cost efficiency, I love diving deep into the AWS ecosystem and crafting robust solutions. 🚀 DevOps Champion: As a DevOps enthusiast, I embrace the culture of collaboration and continuous improvement. I specialize in streamlining development workflows, implementing CI/CD pipelines, and automating infrastructure deployment using modern tools like Kubernetes. ⛵ Kubernetes Navigator: Navigating the seas of containerization is my forte. With a solid grasp on Kubernetes, I orchestrate containerized applications, manage deployments, and ensure seamless scalability while maximizing resource utilization. 🏗️ Terraform Magician: Building infrastructure as code is where I excel. With Terraform, I conjure up infrastructure blueprints, define infrastructure-as-code, and provision resources across multiple cloud platforms, ensuring consistent and reproducible deployments. 🌳 Datree Guardian: In my quest for secure and compliant code, I leverage Datree to enforce best practices and prevent misconfigurations. I'm passionate about maintaining code quality, security, and reliability in every project I undertake. 🌐 Cloud Explorer: The ever-evolving cloud landscape fascinates me, and I'm constantly exploring new technologies and trends. From serverless architectures to big data analytics, I'm eager to stay ahead of the curve and help you harness the full potential of the cloud. Whether you need assistance in designing scalable architectures, optimizing your infrastructure, or enhancing your DevOps practices, I'm here to collaborate and share my knowledge. Let's embark on a journey together, where we leverage cutting-edge technologies to build robust and efficient solutions in the cloud! 🚀💻
👀 What is Falco?
Falco is the cloud-native runtime security tool for Kubernetes environments. Developed by Sysdig and now a CNCF project, Falco continuously monitors your running workloads and alerts you in real time when it detects unusual or suspicious activity — such as unexpected file access, shell execution, or privilege escalation.
Falco uses Linux system calls (syscalls) to inspect what's happening inside your containers and nodes, giving you powerful security visibility that’s missing from most tools.
🚀 Why Use Falco? Real-World Use Cases
| Use Case | What Falco Detects |
| 🦠 Malware Infection | Shells spawning, downloading binaries |
| 🔓 Credential Theft | Access to files like /etc/shadow |
| 🛠️ Unauthorized File Access | Writing to /etc, executing from /tmp |
| 🔐 Compliance | Continuous runtime monitoring for PCI, HIPAA, SOC2 |
| 🔧 DevSecOps | Detects unsafe behavior post-deployment |
| ☁️ Shared Clusters | Namespace-aware alerts for multi-tenancy |
🔧 Step-by-Step: Deploy Falco on an EKS Cluster
✅ Prerequisites:
A working EKS cluster with Linux nodes (x86_64 or ARM64)
kubectlconfigured to access the cluster
helminstalled (v3+)Linux-based CLI (or WSL2 if you're on Windows)
1️⃣ Add the Falco Helm Repo
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
2️⃣ Install Falco with Helm
helm install --replace falco --namespace falco --create-namespace --set tty=true falcosecurity/falco
This installs Falco as a DaemonSet, ensuring it runs on every node.
3️⃣ Verify That Falco is Running
kubectl get pods -n falco
kubectl wait pods --for=condition=Ready --all -n falco
Wait for all Falco pods to show READY=1/1.
4️⃣ Trigger a Built-In Falco Rule
Let’s simulate suspicious activity by reading a sensitive file inside a pod.
Create a test deployment:
kubectl create deployment nginx --image=nginx
Trigger the alert:
kubectl exec -it $(kubectl get pods --selector=app=nginx -o name) -- sh -c "cat /etc/shadow"
This command attempts to read /etc/shadow, which is protected.
View the Falco Alert:
kubectl logs -l app.kubernetes.io/name=falco -n falco -c falco | grep Warning
Expected output (example):
Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow process=cat container_name=nginx ...)
🎉 You just triggered and caught your first Falco alert!
5️⃣ Add a Custom Falco Rule
Create a file named falco_custom_rules_cm.yaml:
customRules:
custom-rules.yaml: |-
- rule: Write below etc
desc: An attempt to write to /etc directory
condition: >
(evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
and fd.name startswith /etc
output: "File below /etc opened for writing | file=%fd.name pcmdline=%proc.pcmdline ..."
priority: WARNING
tags: [filesystem, mitre_persistence]
Apply the custom rule with Helm:
helm upgrade --namespace falco falco falcosecurity/falco \
--set tty=true -f falco_custom_rules_cm.yaml
Wait for pods to restart:
kubectl wait pods --for=condition=Ready --all -n falco
6️⃣ Trigger Your Custom Rule
Let’s write a file into /etc, which is normally suspicious:
kubectl exec -it $(kubectl get pods --selector=app=nginx -o name) -- sh -c "touch /etc/test_file_for_falco_rule"
View the Falco logs again:
kubectl logs -l app.kubernetes.io/name=falco -n falco -c falco | grep Warning
You’ll see output like:
Warning File below /etc opened for writing (file=/etc/test_file_for_falco_rule process=touch ...)
✔️ Your custom rule worked perfectly!
✅ Recap
By this point, you have:
✅ Deployed Falco in EKS
✅ Triggered built-in and custom rules
✅ Verified Falco detects suspicious activity in real time
🎯 Falco is a must-have tool for runtime security, helping you meet compliance, detect attacks, and stay in control of your workloads — even after they’re deployed.
