Kyverno VS falco

Anyway, I haven’t checked for sure as I’m away from laptop but it should be possible to use something like Kyverno to block that operation. We had to do similar in the past to hotfix a bug in our CLI tool. I wrote a blog post about it that might give you an idea: https://www.giantswarm.io/blog/restricting-cluster-admin-permissions

Cosign is used for signing containers through a variety of different methods. It has strong integration with other open source tools, such as Kyverno.

cosign: https://docs.sigstore.dev/cosign/overview/ kyverno: https://kyverno.io/

Kyverno - Kubernetes Native Policy Management

You could use a policy tool like kyverno or OPA.

Kyverno is present in the management cluster;

You do still have to create a policy for every namespace, but don't have to worry about labeling individual pods. We're starting to move to Helm/kustomize for our namespaces to deploy default things like network policies to each one, and we're also starting to use kyverno more, which I think is a little more purpose built for this type of thing than metacontroller is.

I knew it was unsupported so about 6 months ago I had started an effort to switch to Kyverno, which is far better and actually supported. The version of Kyverno I was using had a v1beta1 AdmissionController. Fortunately that was in a helm chart so easily caught by pluto before my upgrade.

Kyverno Kyverno is a policy engine designed for Kubernetes, Kyverno policies can validate, mutate, and generate Kubernetes resources plus ensure OCI image supply chain security.

https://github.com/falcosecurity/falco

Like snort, but looks at system calls.

From one noob to another - I had a lot of fun setting up Falco (https://falco.org) and creating custom policies & alerts.

Falco is a well-known open source security solution originally created by Sysdig. It’s a CNCF incubating project and one of the few (as far as I can tell) options on this list that uses eBPF to scan for vulnerabilities.

Use some kind of SIEM or Falco to alert you to threats (you can't stop them, but a human can always intervene)

Falco, is a security project that can help you detect threats from within your cluster.

https://falco.org/ is a security-focused monitoring and alerting with an eBPF option

On the cgo side I want to highlight two talks: one from Loris Cro about dealing with cross-complition difficulties, that the usage of cgo brings, using the Zig language and the other from Jason Dellaluce and Leonardo Grasso about how to extend Falco, a Kubernetes threat detection engine, which is written in C++, with plugins written in Go, explaining the challenges of integrating cgo in both C and Go.