Skip to content

Instantly share code, notes, and snippets.

@Issif

Issif/talos.md

Last active June 24, 2024 17:26
Show Gist options
  • Save Issif/34e50825b484b61cbc60d2a211f8e22a to your computer and use it in GitHub Desktop.
Save Issif/34e50825b484b61cbc60d2a211f8e22a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
talos.md

Talos

cat << EOF > patch.yaml
cluster:
  proxy:
    disabled: true
  network:
    cni:
      name: none
  apiServer:
    admissionControl:
      - name: PodSecurity
        configuration:
          exemptions:
            namespaces:
              - falco
EOF
talosctl cluster create --workers 2 --config-patch @patch.yaml --wait-timeout 5m

Warning

The etcd cluster will not appear & be running, it's normal for now, because we disabled the installation of a CNI

talosctl kubeconfig -n 10.5.0.2 -f

Cilium

helm repo add cilium https://helm.cilium.io/
helm repo update
cat << EOF > cilium.yaml
ipam:
  mode: kubernetes
kubeProxyReplacement: true
cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup
k8sServiceHost: localhost
k8sServicePort: 7445
securityContext:
  capabilities:
    ciliumAgent:
      - CHOWN
      - KILL
      - NET_ADMIN
      - NET_RAW
      - IPC_LOCK
      - SYS_ADMIN
      - SYS_RESOURCE
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    cleanCiliumState:
      - NET_ADMIN
      - SYS_ADMIN
      - SYS_RESOURCE
EOF
helm upgrade -i cilium cilium/cilium -n kube-system -f cilium.yaml

Falco

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
cat << EOF > falco.yaml
driver:
  enabled: true
  kind: modern_ebpf

tty: true  

collectors:
  enabled: true

controller:
  kind: daemonset

falcosidekick:
  enabled: true
  replicaCount: 1
  webui:
    enabled: true
    replicaCount: 1
    redis:
      storageEnabled: false
    service:
      type: NodePort
      port: 2802
      targetPort: 2802
      nodePort: 30128

falcoctl:
  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      install:
        refs: [falco-rules:latest, falco-incubating-rules:latest, falco-sandbox-rules:latest, k8saudit-rules:latest]
      follow:
        refs: [falco-rules:latest, falco-incubating-rules:latest, falco-sandbox-rules:latest, k8saudit-rules:latest]

services:
  - name: k8saudit-webhook
    type: ClusterIP
    ports:
      - port: 9765
        targetPort: 9765
        protocol: TCP
        name: http

customRules:
  override-rules.yaml: |-
    - rule: Contact EC2 Instance Metadata Service From Container
      enabled: false
      override:
        enabled: replace
    - rule: Change thread namespace
      enabled: false
      override:
        enabled: replace
    - rule: Modify binary dirs
      enabled: false
      override:
        enabled: replace
    - rule: BPF Program Not Profiled
      enabled: false
      override:
        enabled: replace
    - rule: Write below root
      enabled: false
      override:
        enabled: replace
    - rule: Write below binary dir
      enabled: false
      override:
        enabled: replace
    - rule: Unexpected UDP Traffic
      enabled: false
      override:
        enabled: replace

falco:
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco-incubating_rules.yaml
    - /etc/falco/falco-sandbox_rules.yaml
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config: ""
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""
  load_plugins: [k8saudit, json]
 EOF
helm upgrade -i falco falcosecurity/falco -n falco -f falco.yaml

Fluent-bit

helm repo add fluent https://fluent.github.io/helm-charts
helm repo update
cat << EOF > fluent-bit.yaml
podAnnotations:
  fluentbit.io/exclude: 'true'

daemonSetVolumes:
  - name: varlog
    hostPath:
      path: /var/log

daemonSetVolumeMounts:
  - name: varlog
    mountPath: /var/log

tolerations:
  - operator: Exists
    effect: NoSchedule

nodeSelector:
  node-role.kubernetes.io/control-plane: ""

config:
  service: |
    [SERVICE]
      Flush            5
      Daemon           Off
      Log_Level        warn
      HTTP_Server      On
      HTTP_Listen      0.0.0.0
      HTTP_Port        2020
      Health_Check     On
      Parsers_File     /fluent-bit/etc/parsers.conf
      Parsers_File     /fluent-bit/etc/conf/custom_parsers.conf

  inputs: |
    [INPUT]
      Name          tail
      Alias         audit
      Path          /var/log/audit/kube/*.log
      Parser        audit
      Tag           audit.*
      Ignore_older  true

  # filters: |
  #   [FILTER]
  #     Name                kubernetes
  #     Alias               kubernetes
  #     Match               kubernetes.*
  #     Kube_Tag_Prefix     kubernetes.var.log.containers.
  #     Use_Kubelet         Off
  #     Merge_Log           On
  #     Merge_Log_Trim      On
  #     Keep_Log            Off
  #     K8S-Logging.Parser  Off
  #     K8S-Logging.Exclude On
  #     Annotations         Off
  #     Labels              On

  #   [FILTER]
  #     Name          modify
  #     Match         kubernetes.*
  #     Add           source kubernetes
  #     Remove        logtag

  customParsers: |
    [PARSER]
      Name          audit
      Format        json
      Time_Key      requestReceivedTimestamp
      Time_Format   %Y-%m-%dT%H:%M:%S.%L%z

  outputs: |
    [OUTPUT]
      Name    stdout
      Alias   stdout
      Match   *
      Format  json_lines

    [OUTPUT]
      Name    http
      Alias   http
      Match   *
      Host    falco-k8saudit-webhook.falco.svc.cluster.local
      Port    9765
      URI     /k8s-audit
      Format  json
EOF
helm upgrade -i fluent-bit fluent/fluent-bit -n kube-system -f fluent-bit.yaml

Webui

Access via: http://10.5.0.2:30128/login (admin/admin)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment