Chapter 5. Runtime Detection with Falco

Name: "Ship, Securely: The Hands-on DevSecOps Book"
Author: ""

Why this step

Admission policies reduce risky manifests, but runtime behavior can still go sideways. Falco watches syscalls and flags suspicious actions.

Install Falco

make falco-install
kubectl -n falco get pods

Add a simple rule (no interactive shells)

Ensure this file exists:

(Already provided in the repo plan: flags /bin/sh, /bin/bash, /bin/zsh inside containers.)

Load custom rules following the Falco chart’s values—mount a ConfigMap with your rules.d/ contents. (You can keep this step optional for the first run.)

Generate an alert

Open a shell inside your app container:

kubectl -n ship exec -it deploy/app -- sh
exit

Tail logs:

make falco-logs

Export the last 10 minutes as evidence:

make falco-export
# -> artifacts/falco-last10m.log

Cleanup

helm -n falco uninstall falco
kubectl delete ns falco

Checklist

Falco installed; you saw logs from the DaemonSet
Entering a container shell produced an alert
artifacts/falco-last10m.log saved