Skip to content

feat(lab9): Falco runtime detection + Conftest hardening#1441

Open
prudenz1 wants to merge 1 commit into
inno-devops-labs:mainfrom
prudenz1:feature/lab9
Open

feat(lab9): Falco runtime detection + Conftest hardening#1441
prudenz1 wants to merge 1 commit into
inno-devops-labs:mainfrom
prudenz1:feature/lab9

Conversation

@prudenz1

@prudenz1 prudenz1 commented Jul 9, 2026

Copy link
Copy Markdown

Goal

Run Falco with modern eBPF for runtime detection, write custom Falco rules, and gate Kubernetes manifests with Conftest/Rego policies at CI time (Lab 9).

Changes

  • submissions/lab9.md β€” Falco alerts + Conftest results + tuning/analysis
  • labs/lab9/falco/rules/custom-rules.yaml β€” custom /tmp write rule + cryptominer bonus rule
  • labs/lab9/policies/extra/hardening.rego β€” 5 Conftest hardening policies
  • labs/lab9/manifests/good-pod.yaml, bad-pod-runasroot.yaml, bad-pod-no-resources.yaml β€” pass/fail test cases

Testing

# Falco baseline + custom alerts (with -o rule_matching=all on WSL2)
docker exec -t lab9-target /bin/sh -lc 'echo "shell-in-container test"'
docker exec --user 0 lab9-target /bin/sh -lc 'echo "test" > /tmp/my-write.txt'

# Conftest
conftest test labs/lab9/manifests/good-pod.yaml --policy labs/lab9/policies/extra/
conftest test labs/lab9/manifests/bad-pod-runasroot.yaml --policy labs/lab9/policies/extra/
conftest test labs/lab9/manifests/bad-pod-no-resources.yaml --policy labs/lab9/policies/extra/

Observed: Terminal shell + Drop-and-execute + custom /tmp rule fired; good manifest 0 failures, bad manifests denied.

Artifacts

  • submissions/lab9.md
  • labs/lab9/falco/rules/custom-rules.yaml
  • labs/lab9/policies/extra/hardening.rego

Checklist

  • Title is clear (feat(labN): <topic> style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab9.md exists

Lab 9 Progress

  • Task 1 β€” 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 β€” β‰₯3 Conftest rules, passing on good manifest, failing on bad
  • Bonus β€” Cryptominer detection rule with triggered alert

Runtime detection with Falco (baseline + custom /tmp rule + cryptominer
bonus) and Conftest Rego policies gating K8s hardening at CI time.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant