The Deckhouse Virtualization Platform (DVP) security event audit is based on the Falco threat detection system. Deckhouse deploys Falco agents on each node as part of a DaemonSet. Once started, the agents begin collecting OS system calls and Kubernetes audit data.

Falco developers recommend running it as a systemd service, which can be challenging in Kubernetes clusters that support autoscaling. DVP includes additional security mechanisms such as multitenancy and resource control policies. Combined with the DaemonSet deployment, these mechanisms ensure a high level of protection.

Falco agents on DVP cluster nodes

Each cluster node runs a Falco Pod with the following components:

  • falco: Collects events, enriches them with metadata, and outputs them to stdout.
  • rules-loader: Retrieves rule data from FalcoAuditRules custom resources and stores them in a shared directory.
  • falcosidekick: Receives events from falco and exports them as metrics to external systems.
  • kube-rbac-proxy: Protects the falcosidekick metrics endpoint from unauthorized access.

Falco Pod components

Audit rules

Security event analysis is performed using rules that define suspicious behavior patterns. Each rule consists of a condition expression written in accordance with Falco’s condition syntax.

Built-in rules

DVP provides the following types of built-in rules:

  • Kubernetes audit rules: Help detect security issues in DVP and in the audit mechanism itself. These rules are located in the falco container at /etc/falco/k8s_audit_rules.yaml.

Custom rules

Custom rules can be defined using the FalcoAuditRules custom resource.

Each Falco agent includes a sidecar container with a shell-operator instance. This instance reads rules from Kubernetes resources, converts them into Falco rule format, and stores them in the /etc/falco/rules.d/ directory inside the Pod. When a new rule is added, Falco automatically reloads the configuration.

Shell-operator handling Falco rules