Falco with Roost - Runtime Security for K8s
Enable/Disable Falco for Local and Remote Clusters
Click on the Menu Bar -- Cluster > Cluster Management.
Or you can use the Roost Quick Access Toolbar on right side to view Cluster Management
Click on the cluster for which Falco is needed.
Switch to Third Party Tools tab ,click on the edit option [which is in the top right corner],toggle the button against the Falco Security to enable/disable Falco ,and then click on save.
To install or uninstall Falco it takes a few minutes (up to 5 minutes)
The falco (un)install logs are visible in the bottom pane (terminal) or can be accessed using Roost Toolbar “Logs” icon
Security Events
Click on the Menu Bar -- Security > Runtime Security Events, to view falco security events.
Falco Dashboard
Roost Falco Dashboard consists of three elements:
Rule Library:
Rule Library tab consists of default and custom rules that are applied to a cluster.
The help icon on the top right corner is a quick guide to Falco.
Users can configure (Enable / Disable) these rules by clicking on the configure rules button.
After configuring the rules click on the Save button to save the changes.
To apply the changes click on the Update Falco button to update falco pods.
Users can also create their own custom rules by clicking on the add rules button.
Users can also edit the custom rules as well as delete the custom rules.
Macros:
Falco Macros tab consists of default and custom macros.
Users can also create their own custom macros by clicking on the add macros button.
Users can also append to the default macro and also edit them. Users can also edit custom macros as well as delete them.
Lists:
Falco Lists tab consists of default and custom lists.
Users can also create their own custom lists by clicking on the add lists button.
Users can also append to the default lists and also edit them. Users can also edit custom lists as well as delete them.
Grafana Dashboard
User can view grafana dashboard by clicking Grafana Dashboard button in Falco dashboard page.