Kubernetes Falco Rules
Kubernetes (commonly stylized as k8s) is an open-source container-orchestration system for automating application deployment, scaling, and management.
Unexpected inbound TCP connections
Detects inbound traffic to Kubernetes components using tcp on a port outside of expected set
Allowed inbound ports:
- 6443 (kube-apiserver container)
- 10252 (kube-controller container)
- 8443 (kube-dashboard container)
- 10053, 10055, 8081 (kube-dns container)
- 10251 (kube-scheduler container)
Unexpected spawned processes
Detects a process started in a kubernetes cluster outside of an expected set
Allowed processes:
- kube-apiserver (for kube-apiserver container)
- kube-controller-manager (for kube-controller container)
- /dashboard (kube-dashboard container)
- /kube-dns (kube-dns container)
- kube-scheduler (kube-scheduler container)
Unexpected file access readonly
Detects an attempt to access a file readonly other than below an expected list of directories
Allowed file prefixes for readonly: