MVC: Integration with Falco
Problem to solve
As a security analyst, I need to monitor my containers for potentially anomalous behavior so that I can be confident that my containers have not been compromised by a malicious actor.
Intended users
User experience goal
The user will be able to follow GitLab documentation to install Falco into their Kubernetes cluster.
Proposal
- The user will be able to follow GitLab documentation to install Falco in their Kubernetes cluster and connect it to GitLab
- After installation, the user will be able to do the following:
- Detect when a new process is started inside a container
- Detect when changes are made to a file inside a container
- Detect when a new shell/terminal is started in the container
- Detect when a new port is opened
- As we are whitelabeling the Falco functionality, the user will see that there are no direct references to falco in the UI or in the code (references can exist in documentation). Instead of Falco, the term "Container Host Security" should be used to refer to the complete solution architecture (Falco + AppArmor + PSPs, etc.) and the term "Monitoring" should be used to refer to the Falco piece of the broader architecture.
Further details
Installing Falco is a first step as part of our Container Behavior Analytics strategy and a prerequisite to installing other technologies to extend the feature/functionality set that is provided by Falco.
Permissions and Security
This aligns with the current GitLab permission model.
Documentation
Documentation will be added to inform a user how to install Falco into their environment.
Availability & Testing
- Unit tests will be built as appropriate
- Falco will be able to be installed together with Cilium and neither product will interfere with the other one or cause undue performance problems
- [as much as time allows] A long-running performance test will be done to verify that there are no memory leaks or other performance problems introduced over time
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Edited by Sam White