Present Sysdig's Falco to TOC about toc HOT 13 CLOSED

Linking the project proposal and project presentation to this issue.

Falco Project Proposal

Falco Presentation

from toc.

@mfdii we could potentially doing something in late March or April, right now presentations on are hold until the TOC finalizing the new sandbox project process.

Can you share some more details? Is this the GitHub repo? https://github.com/draios/falco/

It's under GPLv2 currently, is there any plans to make it ALv2?

from toc.

We are currently talking internally about licensing. That should be resolved soon and we are aware that we need to change the license if we were to participate in the CNCF as a project on any level.

Expanding a bit on Falco, we see it fitting nicely with Kubernetes to provide runtime security. Falco essentially works as an intrusion detection system. You deploy it across a Kubernetes cluster as a DaemonSet and then Falco creates an event stream of system calls for each Node. Falco applies rules to this event stream to detect abnormal behavior. Falco currently has around 25 rules for things like binaries being modified under bin directories, shells spawned in running containers, attempting to change namespace by a container. If a rule is violated, an alert is triggered. Currently, the alert can be sent to stdout, syslog, a file, or spawn a command.

What we are interested in talking with the TOC about is how well they see Falco fit into the CNCF ecosystem, validation or correction in regards to our approach, and learning what integration points in the CNCF ecosystem might make the most sense. We also want to share what our future roadmap looks like and validate if that’s in line with where the TOC sees the CNCF headed. Longer term, we’d love to see Falco as a CNCF project (inception, incubation, etc), but shorter term we want to understand where we would fit, and what we need to do move through the CNCF project stages.

Let us know what date the TOC would be interested in us presenting.

from toc.

@caniszczyk Chris, I see the Sandbox process has been finalized. Would it be possible to get on the TOC meeting for April 17th?

from toc.

@mfdii I need to find a @cncf/toc member to support you presenting first + I have a concern presenting a technology that is GPLv2, are there plans to move to the ALv2 any time soon?

from toc.

@caniszczyk We are reviewing what it will take to move to ALv2. We aren't opposed to it, it's just that there's shared code between Faclo, and the Sysdig OSS project.

Right now Falco uses the Sysdig kernel module as it's source of data. This module is GPLv2. In theory Falco can use another source for its data stream, the Sysdig module could be one of many sources.

It would be useful to talk to an interested @cncf/toc member so we can explain the architecture and get an idea of what we would need to do (move Falco to ALv2 and make the data sources more pluggable, or move Sysdig and Falco to ALv2, or option 3 we haven't considered).

@ldegio, feel free to add more info.

from toc.

Scheduled to July 14th

from toc.

fwiw: I tried Falco recently on GKE and tied it to kubeless using NATS. Easy setup, ability to define custom security rules. It would benefit from a strong integration to NATS but it would make a nice security addition to the sandbox.

from toc.

@caniszczyk
July 14 is a Saturday

from toc.

@bgrant0607 yes you're right, calendar entry was right my typing was wrong

dd29bde

from toc.

Hello, product lead from cloud.gov here! I presented on the cloud.gov team's (afaik) novel use of Falco to implement dynamic behavior monitoring in cloud.gov, a Cloud Foundry Certified Platform. It would be great to see Falco included in the CNCF activity which has already led to closer collaboration between the k8s and Cloud Foundry communities around runC, OSBAPI, etc. All of this open source activity helps us more cost-effectively run secure services for the public.

from toc.

Please confirm this is actually the 17th and not the 14th.
Would be excited to see this happen, thanks.

from toc.

from toc.