{"id":15655279,"url":"https://github.com/developer-guy/falco-the-kubernetes-response-engine-using-openfaas-functions","last_synced_at":"2025-05-04T06:34:43.307Z","repository":{"id":103622832,"uuid":"342327902","full_name":"developer-guy/falco-the-kubernetes-response-engine-using-openfaas-functions","owner":"developer-guy","description":"Demonstrating how you can take an action to your intrusions detected by Falco using OpenFaaS functions","archived":false,"fork":false,"pushed_at":"2021-03-24T09:23:47.000Z","size":1546,"stargazers_count":26,"open_issues_count":0,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-05-04T06:33:41.040Z","etag":null,"topics":["civo","civo-cli","civo-k3s","container-runtime-security","falco","k3s","k3s-cluster","openfaas","serverless"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/developer-guy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-25T17:40:35.000Z","updated_at":"2024-10-23T01:35:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"6109857e-4440-40fc-a46e-b2e8bb4e3dc5","html_url":"https://github.com/developer-guy/falco-the-kubernetes-response-engine-using-openfaas-functions","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Ffalco-the-kubernetes-response-engine-using-openfaas-functions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Ffalco-the-kubernetes-response-engine-using-openfaas-functions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Ffalco-the-kubernetes-response-engine-using-openfaas-functions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Ffalco-the-kubernetes-response-engine-using-openfaas-functions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/developer-guy","download_url":"https://codeload.github.com/developer-guy/falco-the-kubernetes-response-engine-using-openfaas-functions/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252299432,"owners_count":21725716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["civo","civo-cli","civo-k3s","container-runtime-security","falco","k3s","k3s-cluster","openfaas","serverless"],"created_at":"2024-10-03T12:57:38.356Z","updated_at":"2025-05-04T06:34:43.254Z","avatar_url":"https://github.com/developer-guy.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e \u003cimg src=\"/.res/civo.png\" height=\"400\" width=\"400\"/\u003e \u003c/p\u003e\n\n[![OpenFaaS](https://img.shields.io/badge/openfaas-blue.svg)](https://www.openfaas.com)\n[![k3s](https://img.shields.io/badge/k3s-yellow.svg)](https://k3s.io)\n[![Falco](https://img.shields.io/badge/falco-informational.svg?)](https://falco.org)\n[![CIVO](https://img.shields.io/badge/civo-blue.svg?logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0gR2VuZXJhdG9yOiBBZG9iZSBJbGx1c3RyYXRvciAxNi4wLjQsIFNWRyBFeHBvcnQgUGx1Zy1JbiAuIFNWRyBWZXJzaW9uOiA2LjAwIEJ1aWxkIDApICAtLT4NCjwhRE9DVFlQRSBzdmcgUFVCTElDICItLy9XM0MvL0RURCBTVkcgMS4xLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL0dyYXBoaWNzL1NWRy8xLjEvRFREL3N2ZzExLmR0ZCI+DQo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4Ig0KCSB3aWR0aD0iNzExLjM2NHB4IiBoZWlnaHQ9IjIzOC4xOTNweCIgdmlld0JveD0iMCAwIDcxMS4zNjQgMjM4LjE5MyIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNzExLjM2NCAyMzguMTkzIg0KCSB4bWw6c3BhY2U9InByZXNlcnZlIj4NCjxnPg0KCTxwYXRoIGZpbGw9IiMyMzlERkYiIGQ9Ik0yNzMuNTM5LDAuMDgxaC0yOS40MjRjLTUuNDI0LDAtOC45ODEsNC4xNzktOC45ODEsOS40MjN2MjE5LjEzYzAsNS4yNDUsMy41NTcsOS40NDcsOC45ODEsOS40NDdoMjkuNDI0DQoJCWM1LjQyNCwwLDkuNTk1LTQuMjAyLDkuNTk1LTkuNDQ3VjkuNTA0QzI4My4xMzQsNC4yNiwyNzguOTYzLDAuMDgxLDI3My41MzksMC4wODEiLz4NCgk8cGF0aCBmaWxsPSIjMjM5REZGIiBkPSJNMTgxLjY2MiwxNzMuMTIyYy0yLjY3MS01Ljg1OS0xMC4zMjctNy40NzMtMTUuMDI3LTMuMDcyYy0xMi40NDYsMTEuNjU4LTI5LjEzNiwxOC44MTktNDcuNTM4LDE4LjgxOQ0KCQljLTQ4LjIxOCwwLTg1LjAxMi00OC45MDktNjMuNDc3LTk5LjgyNGM2LjM2NS0xNS4wNDksMTguNDQyLTI3LjA5MiwzMy40OTUtMzMuNDQ3YzI5LjQyMS0xMi40MjEsNTguMDQ4LTUuMzQ1LDc3LjAzNywxMi4wOTUNCgkJYzQuNzQ5LDQuMzYxLDEyLjM2NSwyLjgxNCwxNS4wNC0zLjA1NGwxMi43NDQtMjcuOTU2YzIuMDM5LTQuNDc0LDAuNjMxLTkuNzIxLTMuMjkyLTEyLjY4NQ0KCQlDMTYwLjc4OSwxLjQzNywxMjAuMDM3LTcuNDIsNzcuNTYyLDcuMDUyQzQzLjQ3MiwxOC42NjYsMTYuODksNDYuMTU0LDYuMDY1LDgwLjUwM2MtMjUuODk0LDgyLjE2MywzNC43NDksMTU3LjY5LDExMy4wMzIsMTU3LjY5DQoJCWMyNy4yNDUsMCw1Mi4yODYtOS4yMTQsNzIuMzI3LTI0LjYzM2MzLjc4Ni0yLjkxMyw0Ljk3My04LjExMywyLjk5MS0xMi40NjJMMTgxLjY2MiwxNzMuMTIyeiIvPg0KCTxwYXRoIGZpbGw9IiMyMzlERkYiIGQ9Ik03MDUuMjk5LDgwLjUwM2MtMTAuODI1LTM0LjM0OS0zNy40MDctNjEuODM3LTcxLjQ5Ny03My40NTFjLTI0LjEyOC04LjIyMS00Ny42OTgtOC45MDYtNjkuMDMzLTMuODM1DQoJCWMtMzUuNTg1LDcuOTQ2LTYxLjM1OCwyNC44MTctODQuMDEsNzMuNDUzbC00NS40NTUsOTguNTk4TDM1OC4xNSw1LjY2N2MtMS41NDEtMy4zODEtNC45MTEtNS41NTQtOC42MjYtNS41NmwtMzMuNzA2LTAuMDUzDQoJCWMtNi45MTctMC4wMTEtMTEuNTI0LDcuMTQyLTguNjUzLDEzLjQzNmwxMDAuMDY0LDIxOC43OWMxLjU0MiwzLjM4Myw0LjkxNyw1LjY3LDguNjM0LDUuNjcxbDEuNjM3LDAuMTMxaDM3Ljg0MQ0KCQljMC43NjEsMCwxLjUyMi0wLjE1NywyLjI0NC0wLjQwM2MyLjYwNC0wLjg4Nyw0Ljc5OC0yLjc0NSw1LjkzOC01LjMxMWMwLDAsNTAuMDk4LTExNC4wMjcsNTAuNjgxLTExNS40MDINCgkJYzE1LjI0NC0zNS45NDksMjQuNDk1LTUwLjkyMiw0OC42OTEtNjEuMjA2YzE4LjMwNy03Ljc4LDM5Ljk1NS04LjcyNyw2MC44ODUsMC43NTNjMTQuNTcsNi41OTksMjYuMDI4LDE4LjY1NywzMi4xMjIsMzMuNDQzDQoJCWMzLjg1Nyw5LjI1NCw1LjgwMSwxOC43NjgsNi4xMjIsMjguMTQyYzAuNTQ1LDM4Ljk5Mi0zMC44OTEsNzAuNzczLTY5Ljc1OCw3MC43NzNjLTE4LjQwMiwwLTM1LjA5Mi03LjE2Mi00Ny41MzgtMTguODE5DQoJCWMtNC43LTQuNDAyLTEyLjM1Ni0yLjc4OC0xNS4wMjcsMy4wNzFMNTE2Ljk0NywyMDEuMWMtMS45ODEsNC4zNDgtMC43OTUsOS41NDcsMi45OTMsMTIuNDYxDQoJCWMyMC4wNCwxNS40MTgsNDUuMDgxLDI0LjYzMyw3Mi4zMjYsMjQuNjMzQzY3MC41NSwyMzguMTkzLDczMS4xOTIsMTYyLjY2Niw3MDUuMjk5LDgwLjUwMyIvPg0KPC9nPg0KPC9zdmc+DQo=)](https://www.civo.com/kube100)\n\n# Kubernetes Response Engine powered by OpenFaaS\n\nAlthough Falco can be used to detect any _intrusion_ attempts and sends alerts to channels according to the given rules\nafterwards, it does not have any _remediation_ system. This is why we need something called Kubernetes Response Engine.\nIt simply aims to catch alerts and take actions on it. These actions can be designed as _fine-grained_ serverless\nfunctions.\n\nThink of a scenario you want to take action to your alerts that being notified by Falco, but the important thing that we should notice here is we are going to do different things for the different levels of alerts. For example, we are going to send the notification for notice level alert but for the warning level alert we are going to delete the pod, the overall architecture will be like this:\n```bash\n                +-----------+\n                |   Falco   +\n                +-----^-----+\n                      |\n              +-------v-------+\n              \u003eOpenFaaS (dispatch-fn)+\n              +-------v-------+\n+-----------+         |          +-----------+\n| notify-fn \u003c---------+----------\u003e delete-fn |\n+-----v-----+ notice     warning +-----+-----+\n      |                                |\n      | send alert          delete pod |\n      |                                |\n+-----v-----+                    +-----v-----+       \n|   Slack   |                    | Pwned Pod |\n+-----------+                    +-----------+\n```\n\n🎁 Table of Contents\n=================\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n- 🧰 [Prerequisites](#prerequisites)\n- 🎯 [Target Audience](#target-audience)\n- 🎁 [What is ...?](#what-is-)\n    - \u003cimg src=\"https://www.civo.com/brand-assets/logo/full-colour/civo-logo-fullcolour.svg\" height=\"16\" width=\"16\"/\u003e[CIVO](#civo)\n    - \u003cimg src=\"https://cncf-branding.netlify.app/img/projects/k3s/icon/color/k3s-icon-color.svg\" height=\"16\" width=\"16\"/\u003e[K3S](#k3s)\n    - \u003cimg src=\"https://cncf-branding.netlify.app/img/projects/falco/icon/color/falco-icon-color.svg\" height=\"16\" width=\"16\"/\u003e[Falco](#falco)\n    - \u003cimg src=\"/.res/openfaas.svg\" height=\"16\" width=\"16\"/\u003e[OpenFaaS](#openfaas)\n-  👨‍💻 [Hands-on Demonstration](#hands-on-demonstration)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n# Prerequisites\n\n* \u003cimg src=\"https://www.civo.com/brand-assets/logo/full-colour/civo-logo-fullcolour.svg\" height=\"16\" width=\"16\"/\u003e civo cli v0.7.6\n* \u003cimg src=\"https://cncf-branding.netlify.app/img/projects/helm/horizontal/color/helm-horizontal-color.svg\" height=\"16\" width=\"16\" /\u003e Helm v3.5.1\n* \u003cimg src=\"/.res/openfaas.svg\" height=\"16\" width=\"16\"/\u003e faas-cli 0.13.9\n* \u003cimg src=\"/.res/openfaas.svg\" height=\"16\" width=\"16\"/\u003e arkade 0.7.10\n* \u003cimg src=\"https://raw.githubusercontent.com/cncf/artwork/master/other/illustrations/ashley-mcnamara/kubectl/kubectl.svg\" height=\"16\" width=\"16\"/\u003e kubectl v1.20.2\n\n\u003e We are going to do this demo on macOS Catalina 1.15.7, you can find the prerequisites on [brew](https://brew.sh).\n\n# Target Audience\n\nIf you want to:\n\n* Set up a K3S cluster on CIVO\n* Set up the Falco\n* Create custom serverless functions using OpenFaaS\n* Subscribe Falco events from serverless functions\n\n# What is ...?\n\n## [CIVO](https://www.civo.com/)\n\n_Built for speed and simplicity, with K3s under the hood_\n\n**Join the [#Kube100](https://www.civo.com/kube100) beta: [Apply to join today](https://www.civo.com/signup) _(Get free\ncredit to test-drive the world’s first K3s-powered, managed Kubernetes service)_**\n\n* Simple, fast and powerful\n\n\u003e Spin up Kubernetes in under 2 minutes, without the bloat, using the lightweight K3s distribution\n\n* Management CLI\n\n\u003e Manage your clusters with the custom-built CLI and streamline your deployment with simple REST API.\n\n* Application marketplace\n\n\u003e Launch clusters with preinstalled applications, or install on the fly using Civo's Kubernetes marketplace. \n\n* Bandwidth Pooling\n\n\u003e Use all your bandwidth allowance across all your Civo services. Only pay for what you use.\n\n* Marketplace\n\n\u003e Install applications quickly and easily to your clusters during or after set up with Civo marketplace. Also you can contribute an application to [marketplace](https://github.com/civo/kubernetes-marketplace) \n\n* Custom Firewalls\n\n\u003e Configure custom firewalls from your Civo dashboard using OpenStack’s security groups.\n\n## [K3S](https://k3s.io/)\n\n_The certified Kubernetes distribution built for IoT \u0026 Edge computing_\n\n* Perfect for Edge\n\n\u003e K3s is a highly available, certified Kubernetes distribution designed for production workloads in unattended, resource-constrained, remote locations or inside IoT appliances. Simplified \u0026 Secure\n\n* Simplified \u0026 Secure\n\n\u003e K3s is packaged as a single \u003c40MB binary that reduces the dependencies and steps needed to install, run and auto-update a production Kubernetes cluster.\n\n* Optimized for ARM\n\n\u003e Both ARM64 and ARMv7 are supported with binaries and multiarch images available for both. K3s works great from something as small as a Raspberry Pi to an AWS a1.4xlarge 32GiB server.\n\n## [Falco](https://falco.org/)\n\n_Cloud-Native runtime security, de facto Kubernetes threat detection engine_\n\n* Strengthen container security\n\n\u003e The flexible rules engine allows you to describe any type of host or container behavior or activity.\n\n* Reduce risk via immediate alerts\n\n\u003e You can immediately respond to policy violation alerts and integrate Falco within your response workflows.\n\n* Leverage most current detection rules\n\n\u003e Falco out-of-the box rules alert on malicious activity and CVE exploits.\n\n## [OpenFaaS](https://www.openfaas.com/)\n\n_OpenFaaS® makes it simple to deploy both functions and existing code to Kubernetes_\n\n* Anywhere\n\n\u003e Avoid lock-in through the use of Docker. Run on any public or private cloud.\n\n* Any code\n\n\u003e Build both microservices \u0026 functions in any language. Legacy code and binaries.\n\n* Any scale\n\n\u003e Auto-scale for demand or to zero when idle.\n\n# Hands-on Demonstration\n\n## Create CIVO Playground\n\n* Download the civo cli from [here](https://github.com/civo/cli#set-up) \n* Copy and save the API key from your Civo account -  [Security Dashboard](https://www.civo.com/account/security)\n\n![civo_dashboard_settings](.res/civo-settings.png)\n\n```bash\n$ civo apikey save my-awesome-key $KEY\nSaved the API Key $KEY as my-awesome-key\n```\n\n```bash\n$ civo apikey list\n+----------------+---------+\n| Name           | Default |\n+----------------+---------+\n| my-awesome-key | $KEY    |\n+----------------+---------+\n```\n\n```bash\n$ civo apikey current my-awesome-key\nSet the default API Key to be my-awesome-key\n```\n\n* Create a cluster\n\n```bash\n$ civo kubernetes create playground --size=g3.k3s.medium --nodes=3 --region NYC1 --wait\nCreated Kubernetes cluster playground\n```\n\n* Show the playground on [Kubernetes Dashboard](https://www.civo.com/account/kubernetes)\n\n```bash\n$ civo kubernetes show playground\n          ID : 79435efe-2dac-403d-bfd2-f6644988830a\n        Name : playground\n       Nodes : 3\n        Size : g3.k3s.medium\n      Status : ACTIVE\n     Version : 1.20.0-k3s2\nAPI Endpoint : https://212.2.243.151:6443\n   Master IP : 212.2.243.151\nDNS A record : 79435efe-2dac-403d-bfd2-f6644988830a.k8s.civo.com\nNodes:\n+-------------+---------------+--------+---------------+-----------+------+----------+\n| Name        | IP            | Status | Size          | Cpu Cores | Ram  | SSD disk |\n+-------------+---------------+--------+---------------+-----------+------+----------+\n| master-7c8a | 212.2.243.151 | ACTIVE | g3.k3s.medium |         2 | 4096 |       25 |\n| node-04ed   |               | ACTIVE | g3.k3s.medium |         2 | 4096 |       25 |\n| node-5258   |               | ACTIVE | g3.k3s.medium |         2 | 4096 |       25 |\n+-------------+---------------+--------+---------------+-----------+------+----------+\n```\n\n![civo_dashboard_settings](.res/civo-clusters.png)\n\n* Configure the playground\n\n```bash\n$ civo kubernetes config playground --save --local-path ./kubeconfig\nAccess your cluster with:\nKUBECONFIG=./kubeconfig kubectl get node\n```\n\n* Ensure all is OK\n\n```bash\n$ export KUBECONFIG=./kubeconfig\n$ kubectl get node\nNAME                                  STATUS   ROLES                  AGE   VERSION\nk3s-playground-66b18d51-node-04ed     Ready    \u003cnone\u003e                 40h   v1.20.2+k3s1\n```\n\nYou can find more details about **civo cli** [here](https://github.com/civo/cli).\n\n* Set up OpenFaaS\n\nYou can install OpenFaaS from Civo marketplace - \n![](.res/openfaas.png)\n\nor via [arkade](https://github.com/alexellis/arkade)\n\n_arkade_ provides a portable marketplace for downloading your favourite devops CLIs and installing helm charts, with a single command. You can also download CLIs like kubectl, kind, kubectx and helm faster than you can type \"apt-get/brew update\"\n\n```bash\n$ arkade install openfaas\nUsing Kubeconfig: /Users/batuhan.apaydin/.kube/config\nUsing Kubeconfig: /Users/batuhan.apaydin/.kube/config\nClient: x86_64, Darwin\n2021/03/11 21:35:24 User dir established as: /Users/batuhan.apaydin/.arkade/\n\"openfaas\" already exists with the same configuration, skipping\n\nHang tight while we grab the latest from your chart repositories...\n...Successfully got an update from the \"nats\" chart repository\n...Successfully got an update from the \"kyverno\" chart repository\n...Successfully got an update from the \"dq-helm-charts\" chart repository\n...Successfully got an update from the \"falcosecurity\" chart repository\n...Successfully got an update from the \"openfaas\" chart repository\n...Successfully got an update from the \"stable\" chart repository\nUpdate Complete. ⎈Happy Helming!⎈\n\nVALUES values.yaml\nCommand: /Users/batuhan.apaydin/.arkade/bin/helm [upgrade --install openfaas openfaas/openfaas --namespace openfaas --values /var/folders/pf/6h9t0mnd4d342ncgpjq_3zl80000gp/T/charts/openfaas/values.yaml --set basicAuthPlugin.replicas=1 --set basic_auth=true --set clusterRole=false --set gateway.directFunctions=false --set openfaasImagePullPolicy=IfNotPresent --set faasnetes.imagePullPolicy=Always --set queueWorker.maxInflight=1 --set serviceType=NodePort --set operator.create=false --set gateway.replicas=1 --set ingressOperator.create=false --set queueWorker.replicas=1]\nRelease \"openfaas\" does not exist. Installing it now.\nNAME: openfaas\nLAST DEPLOYED: Thu Mar 11 21:35:30 2021\nNAMESPACE: openfaas\nSTATUS: deployed\nREVISION: 1\nTEST SUITE: None\nNOTES:\nTo verify that openfaas has started, run:\n\n  kubectl -n openfaas get deployments -l \"release=openfaas, app=openfaas\"\n=======================================================================\n= OpenFaaS has been installed.                                        =\n=======================================================================\n\n# Get the faas-cli\ncurl -SLsf https://cli.openfaas.com | sudo sh\n\n# Forward the gateway to your machine\nkubectl rollout status -n openfaas deploy/gateway\nkubectl port-forward -n openfaas svc/gateway 8080:8080 \u0026\n\n# If basic auth is enabled, you can now log into your gateway:\nPASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath=\"{.data.basic-auth-password}\" | base64 --decode; echo)\necho -n $PASSWORD | faas-cli login --username admin --password-stdin\n\nfaas-cli store deploy figlet\nfaas-cli list\n\n# For Raspberry Pi\nfaas-cli store list \\\n --platform armhf\n\nfaas-cli store deploy figlet \\\n --platform armhf\n\n# Find out more at:\n# https://github.com/openfaas/faas\n\nThanks for using arkade!\n```\n\n\u003eAlso, there are other ways to install OpenFaaS, here is the [official documentation.](https://docs.openfaas.com/deployment/kubernetes/#deployment-guide-for-kubernetes)\n\n* Set up Falco\n\n```bash\n$ arkade install falco \\\n        --set falco.jsonOutput=true \\\n        --set falco.httpOutput.enabled=true \\\n        --set falco.httpOutput.url=http://gateway.openfaas:8080/function/dispatch-fn\n...\n```\n\nAfter everyting is ok, configure the faas-cli in order to deploy functions.\n\n```bash\n# Forward the gateway to your machine\n$ kubectl port-forward -n openfaas svc/gateway 8080:8080 \u0026\n\n# If basic auth is enabled, you can now log into your gateway:\n$ PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath=\"{.data.basic-auth-password}\" | base64 --decode; echo)\n$ echo -n $PASSWORD | faas-cli login --username admin --password-stdin\n```\n\nLet's see what functions present.\n\n```bash\n$ faas-cli list\nFunction                        Invocations     Replicas\n```\n\nYou should see nothing.\n\n\u003e NOTE: Don't forget to apply [roles.yaml](./roles.yaml) for delete-pod-fn because this function will remove the pod if necessarry,\n\u003e so, it needs some priviliges for that.\n\nNow Deploy the functions.\n\n```bash\n$ kubectl apply -f roles.yaml\n$ faas-cli deploy -f stack.yml\n...\n```\n\nOnce it's completed, you should see the pods that's running on  `openfaas-fn` namespace, and you should also see\nfunctions by typing `faas-cli list` command.\n\n```bash\n$ faas-cli list\nFunction                        Invocations     Replicas\ndispatch-fn                     37              1\nnotifier-fn                     23              1\ndelete-pod-fn                   0               1\n\n$ kubectl get pods --namespace=openfaas-fn\nFound existing alias for \"kubectl get pods\". You should use: \"kgp\"\nNAME                             READY   STATUS    RESTARTS   AGE\ndispatch-fn-b5b68df77-r7crl      1/1     Running   0          7m23s\nnotifier-fn-5fd846c887-hgpf4     1/1     Running   0          4m48s\ndelete-pod-fn-55cc89965c-fs55q   1/1     Running   0          37s\n```\n\nIf everything works well, you should see the Slack messages in the #falco-alert channel. Here is the screenshot above\nthat shows this.\n\u003e Learn more about how you can set up a Slack workspace from this [link](https://slack.com/intl/en-tr/help/articles/206845317-Create-a-Slack-workspace).\n\n![falco_alerts](.res/falco_alerts.png)\n\nThe next thing that you need to do this, you should create an alert at _Warning_ level, in order to that, you need to\ncreate a Pod based on the alpine image, and you should connect to it, and access some important folders like \n_/etc/shadow_. Once this is done, you should notice that the Pod gets killed by the _delete-pod-fn_ function.\n\nLet's test it with creating a Pod.\n\n```bash\n$  kubectl run alpine -n default --image=alpine --restart='Never' -- sh -c \"sleep 600\"\nFound existing alias for \"kubectl\". You should use: \"k\"\npod/alpine created\n```\n\nConnect to it.\n```bash\n$ kubectl exec -ti alpine -- sh\nFound existing alias for \"kubectl exec -ti\". You should use: \"keti\"\n/ #\n```\n\nOnce you connect it, open a second terminal and watch the state of the Pod.\n\n```bash\n$ watch kubectl get pods\nEvery 2.0s: kubectl get pods\nNAME     READY   STATUS    RESTARTS   AGE\nalpine   1/1     Running   0          106s\n```\n\nThen, in the first terminal, run the `cat /etc/shadow`, then look at the second terminal, you should notice that Pod's\nstatus changed from _Running_ to _Terminating_, and your connection to the Pod is lost.\n![pod_delete](.res/pod_delete.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Ffalco-the-kubernetes-response-engine-using-openfaas-functions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeveloper-guy%2Ffalco-the-kubernetes-response-engine-using-openfaas-functions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Ffalco-the-kubernetes-response-engine-using-openfaas-functions/lists"}