Kubernetes Falco Rules

Kubernetes (commonly stylized as k8s) is an open-source container-orchestration system for automating application deployment, scaling, and management.

Unexpected inbound TCP connections

Detects inbound traffic to Kubernetes components using tcp on a port outside of expected set

Allowed inbound ports:

  • 6443 (kube-apiserver container)
  • 10252 (kube-controller container)
  • 8443 (kube-dashboard container)
  • 10053, 10055, 8081 (kube-dns container)
  • 10251 (kube-scheduler container)

Unexpected spawned processes

Detects a process started in a kubernetes cluster outside of an expected set

Allowed processes:

  • kube-apiserver (for kube-apiserver container)
  • kube-controller-manager (for kube-controller container)
  • /dashboard (kube-dashboard container)
  • /kube-dns (kube-dns container)
  • kube-scheduler (kube-scheduler container)

Unexpected file access readonly

Detects an attempt to access a file readonly other than below an expected list of directories

Allowed file prefixes for readonly:

  • /public