--- title: "Response Engine with Kubeless" weight: 072 chapter: true --- # Response Engine with Kubeless In this step you'll configure Falco to trigger automated reactions to events. You can configure security playbooks to be applied as FaaS based on Falco events. This might include: - Taint a node NoSchedule - Isolate pod via Network Policy - Delete offending pod - Scale down deployment to 0 pods - Trigger a Sysdig capture - Send notifications To proceed, first install Kubeless: ```bash export RELEASE=$(curl -s https://api.github.com/repos/kubeless/kubeless/releases/latest | grep tag_name | cut -d '"' -f 4) kubectl create ns kubeless kubectl create -f https://github.com/kubeless/kubeless/releases/download/$RELEASE/kubeless-$RELEASE.yaml ``` You need to specify a new output for Falcosidekick (check the two last options provided): ```bash helm upgrade falco \ --namespace falco \ --set falcosidekick.enabled=true \ --set falcosidekick.webui.enabled=true \ --set falco.jsonOutput=true \ --set falco.httpOutput.enabled=true \ --set falco.httpOutput.url=http://falcosidekick:2801 \ --set auditLog.enabled=true \ --set falcosidekick.config.kubeless.namespace=kubeless \ --set falcosidekick.config.kubeless.function=delete-pod \ falcosecurity/falco ``` Finally, check that Kubeless is enabled as output: ```bash kubectl logs deployment/falco-falcosidekick -n falco ``` All the squeletoon is prepared, now you just need to provide permissions to execture the action and define the action (function). ## RBAC permissions In order for the serverless function to be able to delete a pod in any namespace, create a ServiceAccount with required permissions: ``` cat <=12.0.1 function-content-type: text function: |- from kubernetes import client,config config.load_incluster_config() def delete_pod(event, context): rule = event['data']['rule'] or None output_fields = event['data']['output_fields'] or None if rule and rule == "Terminal shell in container" and output_fields: if output_fields['k8s.ns.name'] and output_fields['k8s.pod.name']: pod = output_fields['k8s.pod.name'] namespace = output_fields['k8s.ns.name'] print (f"Deleting pod \"{pod}\" in namespace \"{namespace}\"") client.CoreV1Api().delete_namespaced_pod(name=pod, namespace=namespace, body=client.V1DeleteOptions()) handler: delete-pod.delete_pod runtime: python3.7 deployment: spec: template: spec: serviceAccountName: falco-pod-delete EOF ``` Now you should see the Kubeless function running with the service delete-pod available on port 8080: ```bash kubectl get svc -n kubeless ``` ## Try it! Create a pod: ``` kubectl run alpine \ -n default \ --image=alpine \ --restart='Never' \ -- sh -c "sleep 600" ``` and run a shell inside it: ``` kubectl exec -i --tty alpine -n default -- sh -c "uptime" ``` You should see that its status now is `Terminating`. --- You have completed the last step!