Thanks for the video! I totally agree, Falco drives me crazy. I hate the number of warnings you get with Falco, having to fine tune the rules and all the ceremonies that come with it, even if there are no competitors at the moment. Plus I still haven't found a customer that uses it yet! But you can't prevent without observing things so I guess we need to stick with Falco for now
Key thing is ensuring image immutability at runtime for any workloads, be it VM, K8s, Containers [Docker/Podman etc.] or Serverless. Look at Aqua security CWPP, it not only detects but also has the ability to block it.
They are different though. Falco gives you information while KubeArmor prevents processes from running. You can think of this video as a preamble to KubeArmor which is in my TODO list.
That's true, but I find that part not to be as good as Falco. KubeArmor is focused on per-Pod basis which is great for prevention, but not necessarily for detection.
What do you think of Falco? Is detection enough?
Have you tried Tetragon from the eBPF high-flyers Isovalent?
@bombaclotta I did and I'm working in a video about it.
Thanks for the video! I totally agree, Falco drives me crazy. I hate the number of warnings you get with Falco, having to fine tune the rules and all the ceremonies that come with it, even if there are no competitors at the moment. Plus I still haven't found a customer that uses it yet! But you can't prevent without observing things so I guess we need to stick with Falco for now
Key thing is ensuring image immutability at runtime for any workloads, be it VM, K8s, Containers [Docker/Podman etc.] or Serverless. Look at Aqua security CWPP, it not only detects but also has the ability to block it.
The Falco video finally comes!
Very nice! I've been looking for something like this for my Homelab. Will definitely check this out...
Next, would you like to share your insights on Tetragon?
Sure. Adding it to my TODO list... :)
Thank you for the video. Not sure if it's intentional or not, but the link for the gist is not a link :)
My bad... It's fixed now.
Are there tools that do prevention on top of falco ?
Forget them. Use kubearmor for prevention.
It would be interesting to talk about gVisor after this video
Adding it to my to-do list... 🙂
I am a much bigger fan of kubearmor and find falco WAY TOO COMPLEX!!!!!
They are different though. Falco gives you information while KubeArmor prevents processes from running.
You can think of this video as a preamble to KubeArmor which is in my TODO list.
@@DevOpsToolkit kubearmor can also run in alert only mode which is nice to have 1 tool for both
That's true, but I find that part not to be as good as Falco. KubeArmor is focused on per-Pod basis which is great for prevention, but not necessarily for detection.