HPE EZMERAL CONTAINER PLATFORM 5.3 AND HPE EZMERAL DATA FABRIC ON DL SERVERS

# Deploying Falco on HPECP cluster

Container runtime security is a new feature in HPE Ezmeral Container Platform 5.3 that improves container security and threat detection. Container runtime security detects anomalies in the host and in containers by using the extended Berkeley Packet Filter (eBPF) to isolate kernel system calls. The feature is enabled by default and based on the Falco Open Source Software.

Pre-requisites

HPE Ezmeral Container Platform nodes should be running on SLES 15 SP2, the following general configuration is required on all nodes:

  • sudo must be installed.
  • SELinux should be disabled.
  • AppArmor is not supported.
  • Systemd is supported in legacy mode.
  • IPv6 is not supported.

# Common Host Packages

All HPE Ezmeral Container Platform hosts must have the following SLES modules enabled:

> SUSEConnect -p PackageHub/15.2/x86_64
> SUSEConnect -p sle-module-legacy/15.2/x86_64
> SUSEConnect -p sle-module-python2/15.2/x86_64
> SUSEConnect -p sle-module-containers/15.2/x86_64
> SUSEConnect -p sle-module-basesystem/15.2/x86_64
> SUSEConnect -p sle-module-public-cloud/15.2/x86_64
> SUSEConnect -p sle-module-desktop-applications/15.2/x86_64

# Kubernetes Host Packages

All Kubernetes hosts must have the following SLES module enabled in addition to the common packages listed above:

> SUSEConnect -p caasp/4.5/x86_64

# Controller/Shadow Controller Host Packages

The Controller host (and Shadow Controller host, if platform HA is enabled) must have the following SLES modules enabled in addition to the common packages listed above:

> SUSEConnect -p sle-ha/15.2/x86_64

# Falco installation process

  • Trust the falcosecurity GPG key and configure the zypper repository:

    > rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc
> curl -s -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo

  • Install kernel headers:

    > zypper -n install kernel-default-devel

  • Install Falco:

    > zypper -n install falco

Falco, the kernel module driver, and a default configuration are now installed. Falco is being ran as a systemd unit.

# Deploying Falco on HPECP Cluster

If you already installed the Falco Kernel Module, HPE Ezmeral Container Platform automatically tags the Kubernetes host as falco:true:

If you have not installed the Falco Kernel Module yet, you must install it. After the Falco Kernel Module is installed, you must tag each node in the Kubernetes cluster with the falco: true label.

Expanding and Shrinking of a Compute Cluster