Motivation
By default no network policy is set by falco helm chart.
As falco is ran by default as a DaemonSet and requires the securityContext: privileged: true (equivalent to docker --privileged ), it can become a suitable and preferred target for an attacker to get in
According to official kubernetes documentation (reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-two-sorts-of-pod-isolation) , if no network policy is set, communication is allowed between falco pods and other pods not targeted by any other network policy.
By default, a pod is non-isolated for egress; all outbound connections are allowed. A pod is isolated for egress if there is any NetworkPolicy that both selects the pod and has "Egress" in its policyTypes; we say that such a policy applies to the pod for egress. When a pod is isolated for egress, the only allowed connections from the pod are those allowed by the egress list of some NetworkPolicy that applies to the pod for egress. Reply traffic for those allowed connections will also be implicitly allowed. The effects of those egress lists combine additively.
By default, a pod is non-isolated for ingress; all inbound connections are allowed. A pod is isolated for ingress if there is any NetworkPolicy that both selects the pod and has "Ingress" in its policyTypes; we say that such a policy applies to the pod for ingress. When a pod is isolated for ingress, the only allowed connections into the pod are those from the pod's node and those allowed by the ingress list of some NetworkPolicy that applies to the pod for ingress. Reply traffic for those allowed connections will also be implicitly allowed. The effects of those ingress lists combine additively.
Provide an extra section to specify the default networkPolicy to deploy during helm instance. It can be in extra section for example.
For instance, it could be something like this:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: falco-network-policy
namespace: falco
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: falco
app.kubernetes.io/name: falco
policyTypes:
- Ingress
- Egress
ingress:
# At the moment it's not possible to do better on the ingress traffic source filtering to target kube-apiserver:
# - from:
# * kube-apiserver can't be targeted by podSelector matchLabels (the source IP is the hostIp as kube-apiserver use hostNetwork)
# - namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: kube-system
# podSelector:
# matchLabels:
# tier: control-plane
# component: kube-apiserver
- ports:
# Liveness, readyness and health probes
- port: 8765
protocol: TCP
# Falco Webhook for k8saudit
- port: 9765
protocol: TCP
egress:
# Allow kube-dns resolution
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
# Outgoing Traffic to falco sidekick pods
- to:
- podSelector:
matchLabels:
app.kubernetes.io/component: core
app.kubernetes.io/instance: falco
app.kubernetes.io/name: falcosidekick
ports:
# Falco to sidekick communication
- port: 2801
protocol: TCP
- port: 2810
protocol: TCP
# PRIVATE registry for falcoctl artifacts
- to:
- ipBlock:
cidr: 1.2.3.4/32
ports:
- port: 443
protocol: TCP
# Comment the full upper "- to" block and uncomment the following if using only falco and not falco sidekick component as syslog forwarder.
# Outgoing Traffic to syslog server
#- to:
# - ipBlock:
# cidr: 1.2.3.4/32
# ports:
# - port: 6514
# protocol: TCP
# - port: 514
# protocol: UDP
# allow egress to corporate proxy if necessary for falcoctl (if no private registry and needs public ghcr.io)
- to:
- ipBlock:
cidr: 1.2.3.4/32
ports:
- port: _WELL_KNOWN_PROXY_PORT_SUCH_AS_8080_OR_3128_OR_8123_OR_ELSE
protocol: TCPFeature
By default no network policy is set by falco helm chart.
As falco is ran by default as a DaemonSet and requires the securityContext: privileged: true (equivalent to docker --privileged ), it can become a suitable and preferred target for an attacker to get in.
Provide an extra section to specify the default networkPolicy to deploy during helm instance. It can be in extra section for example.
Alternatives
Additional context
Motivation
By default no network policy is set by falco helm chart.
As falco is ran by default as a DaemonSet and requires the
securityContext: privileged: true(equivalent to docker--privileged), it can become a suitable and preferred target for an attacker to get inAccording to official kubernetes documentation (reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-two-sorts-of-pod-isolation) , if no network policy is set, communication is allowed between falco pods and other pods not targeted by any other network policy.
Provide an extra section to specify the default networkPolicy to deploy during helm instance. It can be in
extrasection for example.For instance, it could be something like this:
Feature
By default no network policy is set by falco helm chart.
As falco is ran by default as a DaemonSet and requires the
securityContext: privileged: true(equivalent to docker--privileged), it can become a suitable and preferred target for an attacker to get in.Provide an extra section to specify the default networkPolicy to deploy during helm instance. It can be in
extrasection for example.Alternatives
Additional context