Securing your cluster at build and deploy time isn’t enough. Runtime security monitors container behavior to detect and respond to threats in real-time.
Why Runtime Security?
Even with perfect image scanning and admission control:
- Zero-day vulnerabilities exist
- Attackers may exploit application logic
- Legitimate containers can be compromised
Falco: Cloud-Native Runtime Security
Falco uses system calls to detect anomalous activity:
YAML
# Install with Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falcoDefault Rules
Falco comes with rules detecting:
- Shell spawned in container
- Sensitive file access
- Unexpected network connections
- Privilege escalation attempts
Custom Rules
YAML
- rule: Detect Cryptocurrency Mining
desc: Detect crypto mining processes
condition: >
spawned_process and
(proc.name in (xmrig, minerd, cpuminer) or
proc.cmdline contains "stratum+tcp")
output: >
Cryptocurrency miner detected
(user=%user.name command=%proc.cmdline container=%container.name)
priority: CRITICALResponding to Threats
Alert Integration
YAML
# Falco configuration
alertmanager:
enabled: true
endpoint: http://alertmanager:9093
slack:
enabled: true
webhook: https://hooks.slack.com/services/XXXAutomated Response
Use Falco Sidekick to trigger actions:
- Kill the pod
- Quarantine with network policy
- Create incident ticket
- Capture forensic data
Other Runtime Security Tools
Tetragon
eBPF-based security observability:
YAML
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: monitor-sensitive-files
spec:
kprobes:
- call: "fd_install"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/shadow"Sysdig Secure
Commercial platform with deep container visibility.
Best Practices
- Start with default rules, then customize
- Tune to reduce false positives
- Test detection with attack simulations
- Have runbooks for common alerts
- Practice incident response
Runtime security is your last line of defense against attacks.