Security Monitoring
Dynamic Security Controls
Falco Runtime Security
apiVersion: falco.security.dev/v1beta1
kind: FalcoRule
metadata:
name: detect-privilege-escalation
spec:
output: Privilege escalation detected (user=%user.name container=%container.name command=%proc.cmdline)
rule: >
spawned_process and container and
proc.name in (sudo, su) and
not proc.name in (usermod, groupmod, chown)
Audit Policy Configuration
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["pods", "services", "secrets"]
- level: Metadata
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles", "clusterroles"]
Monitoring Stack Integration
Prometheus Rules
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: security-alerts
spec:
groups:
- name: security
rules:
- alert: PodPrivilegedMode
expr: kube_pod_container_status_running{container!=""} * on(pod,namespace) group_left kube_pod_security_context{privileged="true"} > 0
for: 5m
labels:
severity: warning
annotations:
summary: Pod running in privileged mode detected
Grafana Dashboard Example
{
"title": "Kubernetes Security Overview",
"panels": [
{
"title": "Failed Authentication Attempts",
"type": "timeseries",
"targets": [
{
"expr": "sum(rate(apiserver_failed_auth_count[5m])) by (reason)"
}
]
}
]
}
Security Response Automation
Automated Response with Kubectl-Kuberhealthy
apiVersion: comcast.github.io/v1
kind: KuberhealthyCheck
metadata:
name: security-response
spec:
runInterval: 5m
timeout: 10m
podSpec:
containers:
- name: security-check
image: security-checker:latest
env:
- name: CHECK_NAMESPACE
value: "kube-system"
Best Practices
Real-time Monitoring
Enable Kubernetes audit logging
Use Falco for runtime security
Implement automated responses
Compliance Controls
Regular compliance scans
Automated policy enforcement
Audit trail maintenance
Incident Response
Automated containment
Evidence collection
Playbook automation
Metrics Collection
Security KPIs
Compliance metrics
Performance impact
Last updated