👋 First of all, I am excited to share that I've officially become a Kubestronaut (read it here). Among the five Kubernetes certifications, the CKS (Certified Kubernetes Security Specialist) was by far the toughest. In fact, I missed passing on my first attempt by just 2% (read it here). That experience inspired me to create the 📖 CKS Handbook, which is now in its 2nd Edition, updated to reflect the latest changes to the CKS curriculum.

Kubestronaut Journey

In this blog, we will explore what you need to know about Falco to prepare for the CKS exam. Falco is a key part of the CKS curriculum under "Monitoring, Logging, and Runtime Security" which accounts for about 20% of the exam.

Anyone who's taken the CKS exam knows that Falco-related tasks can quickly eat up your time if you're not well prepared. So let's dive in!

🪏 Falco by Sysdig

Falco is an open-source cloud-native runtime security tool originally created by Sysdig and donated to the CNCF in 2018. It provides runtime security for Linux hosts, containers, Kubernetes, and cloud environments. For the scope of the CKS exam, focus only on the container runtime security.

Falco is designed to detect and alert on abnormal behavior and potential security threats in real-time. These malicious behaviors are identified through Falco rules, and then using Falcosidekick to alert on the suspicious events. Falcosidekick is out of scope for the exam.

How Falco works

📕 Rules of Falco

Falco rules are what you, as a Kubernetes security engineer, need to write or maintain to detect malicious behaviors in your Kubernetes environment.

The default Falco rules file is stored in /etc/falco/falco_rules.yaml. Every rule definition contains at least the following fields:

  • Rule, Desc: Name and short rule description.
  • Condition: Key part of the rule, which determines if the rule should be fired or not based on a Boolean expression matching event fields.
  • Output: Human-friendly log message that Falco emits, can include event metadata by prefixing % before event field.
  • Priority: Every Falco rule has a priority, indicating how serious a violation of the rule is.

📝 NOTE: In the exam, you are allowed to refer to the Supported Fields for Conditions and Outputs page.

🐚 Shell in the container

Here is a custom Falco config in YAML with a rule to detect if a shell is spawned in a container, which is often a sign of debugging gone wrong, misconfigured containers, or possible malicious attempts, such as IngressNightmare remote code execution.

Falco rule

The config begins with macros to simplify writing Falco rules. Pre-defined Falco macros come bundled in /etc/falco/falco_rules.yaml.

  1. The spawned_process macro condition filters system call events by execve, which is the syscall for executing a new program in Linux, and evt.dir=< means the syscall is entering, i.e., the execution is starting.
  2. The container macro checks that the event is coming from a container and not the host system.

Next, we define a rule using the macro above. The rule is triggered when a process is started (spawned_process) and it happens inside a container, and the process name is bash (i.e., someone is starting a shell).

In the rule’s output, we include useful context using user fields, container fields, and k8s fields to get Kubernetes-related metadata.

📝 NOTE: In the exam, you are allowed to access the Falco example rules.

✍️ Falco in the exam

In the exam, you will encounter at least one Falco-related task. You may be asked to:

  • Run Falco with custom rules on a specific worker node and save logs of detected malicious processes.
  • Investigate Falco logs to identify malicious containers and gather details Kubernetes Pod name and namespace using the crictl tool.

When solving tasks, adopt the mindset of a security engineer, as the questions typically reflect real-world scenarios that a Kubernetes security professional would face.

💡 TIP: Keep the Falco documentation accessible during the exam, particularly the Supported Fields for Conditions and Outputs page, as you’ll need to understand which event fields to include in your Falco logs.

Up Next

In the upcoming article, we will gain hands-on Falco experience by installing it, implementing custom rules, and analyzing Falco logs — essential practice for the CKS exam.

To accelerate your preparation, check out my CKS Handbook — 2nd Edition, which provides comprehensive coverage of Falco and all other CKS exam topics_,_ updated to reflect the latest curriculum changes.

As a thank you to the readers of this article, use discount code FALCO15 to get 15% off on my CKS Handbook — 2nd Edition. — Puru

CKS Handbook - 2nd Edition