{"id":25345588,"url":"https://github.com/iamgp21/capstone-runtime-sec","last_synced_at":"2026-04-29T16:04:12.426Z","repository":{"id":274173182,"uuid":"922138286","full_name":"iamgp21/capstone-runtime-sec","owner":"iamgp21","description":"POC Repo for Implementing Runtime Security fo a Kubernetes Cluster.","archived":false,"fork":false,"pushed_at":"2025-02-22T07:52:30.000Z","size":566,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-22T08:29:56.042Z","etag":null,"topics":["architecture","cloud-security","cncf","ebpf","kubernetes","observability","runtime-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iamgp21.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-25T12:23:24.000Z","updated_at":"2025-02-22T07:52:34.000Z","dependencies_parsed_at":"2025-02-22T08:26:11.110Z","dependency_job_id":null,"html_url":"https://github.com/iamgp21/capstone-runtime-sec","commit_stats":null,"previous_names":["iamgp21/capstone-runtime-sec"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamgp21%2Fcapstone-runtime-sec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamgp21%2Fcapstone-runtime-sec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamgp21%2Fcapstone-runtime-sec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamgp21%2Fcapstone-runtime-sec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iamgp21","download_url":"https://codeload.github.com/iamgp21/capstone-runtime-sec/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247878017,"owners_count":21011158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["architecture","cloud-security","cncf","ebpf","kubernetes","observability","runtime-security"],"created_at":"2025-02-14T12:39:05.208Z","updated_at":"2025-10-16T16:15:24.336Z","avatar_url":"https://github.com/iamgp21.png","language":"Go","readme":"## k8s Runtime Security \nPOC Repo for Implementing Runtime Security on Kubernetes Cluster.\n\n\n### Environment Details:\n- **K8s Cluster** : On Public Cloud GKE.\n- **Runtime Security Tool** : CNCF Opensource Graduated Project Falco and FalcoSidekick. \n- **Visualization Tool for Security Events** : Grafana.\n- **Security Events Long Term Storage** : Grafana Loki.\n\n\n\u003e [!IMPORTANT]\n\u003e This repo doesn't cover the Infra Creation. As It covers more the Architecture point of view.\n\n\n### HLD:\n![HLD](./gif/Falco_Animation.gif)\n\nAbove diagram can be summarized as below:\n\n- Falco when deployed on a k8’s cluster installs **epbf Probe Module/kernel Module**(depending on kernel version) in the kernel space.\n\n- Any communications done by K8s application workload goes to the kernel and post installation of Falco the **epbf probe would capture syscalls**, thus tracking any kernel level activity.\n\n- **Probed events are passed via Ring Buffer to User space** to Falco Rule engine that evaluates the Raw event against the Rules.\n\n- **Events are then  matched with based on Rules Config** and sent as output to **FalcoSidekick**.\n\n- The **Sidekick based on the routing configured passes the events to Long term events storage engine(Loki)**.\n\n- To **Visualize the Received Events** and make Runtime Security Dashboards Opensource tool **Grafana** can be used.\n\n\n### Deployment Configurations:\n\nThe **runtime-sec** directory contains the relevant helm charts for Falco security Tooling that can be deployed to Cluster using helm as an example: \n\n- Install **falco**: `helm install \u003cFALCO_RELEASE_NAME\u003e -f falco.yaml \u003cFALCO_HELM_CHART_PATH\u003e -n \u003cFALCO_NAMESPACE\u003e --create-namespace`\n\n- Install **falcosidekick**: `helm install \u003cFALCO_SIDEKICK_RELEASE_NAME\u003e -f falcosidekick.yaml \u003cFALCO_SIDEKICK_HELM_CHART_PATH\u003e -n \u003cFALCO_SIDEKICK_NAMESPACE\u003e --create-namespace`\n\n\n### POC Results:\n\nA **Notice** Severity Event Reported on Grafana Dashboard when user perform `exec` operation on container/pod.\n\n![call_made](./images/UseCase2_exec.png)\n![grafana_dashboard](./images/UseCase2_Grafana.png)\n\n**Note:** This is just an example severity event and any Critical/High Priority events can be displayed as well Similarly.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiamgp21%2Fcapstone-runtime-sec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiamgp21%2Fcapstone-runtime-sec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiamgp21%2Fcapstone-runtime-sec/lists"}