# Deploying Falco on HPECP cluster
Container runtime security is a new feature in HPE Ezmeral Container Platform 5.3 that improves container security and threat detection. Container runtime security detects anomalies in the host and in containers by using the extended Berkeley Packet Filter (eBPF) to isolate kernel system calls. The feature is enabled by default and based on the Falco Open Source Software.
Pre-requisites
HPE Ezmeral Container Platform nodes should be running on SLES 15 SP2, the following general configuration is required on all nodes:
- sudo must be installed.
- SELinux should be disabled.
- AppArmor is not supported.
- Systemd is supported in legacy mode.
- IPv6 is not supported.
# Common Host Packages
All HPE Ezmeral Container Platform hosts must have the following SLES modules enabled:
> SUSEConnect -p PackageHub/15.2/x86_64
> SUSEConnect -p sle-module-legacy/15.2/x86_64
> SUSEConnect -p sle-module-python2/15.2/x86_64
> SUSEConnect -p sle-module-containers/15.2/x86_64
> SUSEConnect -p sle-module-basesystem/15.2/x86_64
> SUSEConnect -p sle-module-public-cloud/15.2/x86_64
> SUSEConnect -p sle-module-desktop-applications/15.2/x86_64
# Kubernetes Host Packages
All Kubernetes hosts must have the following SLES module enabled in addition to the common packages listed above:
> SUSEConnect -p caasp/4.5/x86_64
# Controller/Shadow Controller Host Packages
The Controller host (and Shadow Controller host, if platform HA is enabled) must have the following SLES modules enabled in addition to the common packages listed above:
> SUSEConnect -p sle-ha/15.2/x86_64
# Falco installation process
Trust the falcosecurity GPG key and configure the zypper repository:
> rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc > curl -s -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
Install kernel headers:
> zypper -n install kernel-default-devel
Install Falco:
> zypper -n install falco
Falco, the kernel module driver, and a default configuration are now installed. Falco is being ran as a systemd unit.
# Deploying Falco on HPECP Cluster
If you already installed the Falco Kernel Module, HPE Ezmeral Container Platform automatically tags the Kubernetes host as falco:true
:
If you have not installed the Falco Kernel Module yet, you must install it. After the Falco Kernel Module is installed, you must tag each node in the Kubernetes cluster with the falco: true
label.