KubeCon + CloudNativeCon Europe 2020

How do you protect Kubernetes clusters from malicious behavior? Role-based access control won't stop a user who's authorized to create pods from deploying hundreds of coin miners, and Intrusion Detection Systems at a network edge won't catch requests from a compromised container to the API server. Falco joined CNCF Incubator as an open-source runtime monitoring tool that combines kernel-level visibility with cluster-level awareness, making it possible to implement security policy and assert if these policies have been violated. In this session, Shane will demonstrate detection use cases, and discuss how Shopify has been using Falco since 2018 to monitor containers in a cloud environment that processes $100 million+ per day. Attendees will learn how to deploy Falco at scale, implement and change the ruleset, avoid common pitfalls with eBPF probes and kernel modules, and manage alert volume.