K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FEAT(velero): Add Velero, Falco,

Browse Source 
- and CNPG infrastructure components
Add three critical infrastructure components via GitOps:

- Velero: Backup and disaster recovery solution
  - Configured with Minio S3 backend
  - Daily full cluster backups (30-day retention)
  - Hourly backups for critical namespaces (7-day retention)
  - Credentials managed via External Secrets from Vault

- Falco: Runtime security monitoring
  - eBPF-based threat detection
  - Custom rules for container security
  - Falcosidekick for alert forwarding
  - Prometheus metrics enabled

- CNPG (CloudNativePG): PostgreSQL operator
  - Kubernetes-native PostgreSQL management
  - Automated failover and backups
  - Will replace Bitnami PostgreSQL

All components follow existing GitOps patterns:
- Helm charts deployed via ArgoCD
- Values managed in Git
- Automated sync with selfHeal enabled
This commit is contained in:
Mayne0213
2025-12-25 12:21:19 +09:00
parent fa24f224ee
commit 10308d48d0
3 changed files with 231 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
falco/argocd/falco.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: falco
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
# Helm chart from Falcosecurity repository
- repoURL: https://falcosecurity.github.io/charts
chart: falco
targetRevision: 4.14.2
helm:
valueFiles:
- $values/falco/helm-values/falco.yaml
# Values file from Git repository
- repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: falco
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
revisionHistoryLimit: 10

178
falco/helm-values/falco.yaml Normal file
View File

@@ -0,0 +1,178 @@
# Falco Helm Values
# Chart: https://github.com/falcosecurity/charts/tree/master/charts/falco
# Driver configuration - use eBPF for better compatibility
driver:
enabled: true
kind: ebpf # or "module" for kernel module
# Image configuration
image:
registry: docker.io
repository: falcosecurity/falco-no-driver
tag: 0.39.2
# Resource requests
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
# Falco configuration
falco:
# Enable JSON output for better parsing
json_output: true
json_include_output_property: true
# Log to stdout
log_stderr: true
log_syslog: false
log_level: info
# Performance tuning
buffered_outputs: true
outputs_queue_capacity: 10000
# Rules configuration
rules_files:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/rules.d
# Load default rules
load_plugins: []
# Custom rules (add to this section)
customRules:
custom-rules.yaml: |-
# Custom Falco Rules for your cluster
- rule: Unauthorized Process in Container
desc: Detect unexpected processes in containers
condition: >
spawned_process and container and
not proc.name in (sh, bash, node, python, java, nginx, postgres)
output: >
Unauthorized process started in container
(user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
priority: WARNING
tags: [container, process]
- rule: Sensitive File Access
desc: Detect access to sensitive files
condition: >
open_read and container and
fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa, /root/.ssh/authorized_keys)
output: >
Sensitive file accessed
(user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
priority: CRITICAL
tags: [file, security]
- rule: Container Drift Detection
desc: Detect file modifications in containers
condition: >
container and
(open_write or rename or remove) and
not proc.name in (apt, yum, dnf, apk, npm, pip)
output: >
File modified in container
(user=%user.name file=%fd.name proc=%proc.name container=%container.name)
priority: WARNING
tags: [container, drift]
# Enable Prometheus metrics
metrics:
enabled: true
# Service Monitor for Prometheus Operator
serviceMonitor:
enabled: true
interval: 30s
# Grafana dashboard
grafanaDashboard:
enabled: false
# Falcosidekick integration (for forwarding alerts)
falcosidekick:
enabled: true
fullfqdn: false
config:
# Output to stdout/logs
debug: false
# Slack integration (optional)
# slack:
# webhookurl: ""
# minimumpriority: "warning"
# Discord integration (optional)
# discord:
# webhookurl: ""
# minimumpriority: "warning"
# Falcosidekick Web UI
webui:
enabled: true
replicaCount: 1
service:
type: ClusterIP
port: 2802
ingress:
enabled: false
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt-prod
# hosts:
# - host: falco0213.kro.kr
# paths:
# - path: /
# pathType: Prefix
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# RBAC
rbac:
create: true
# Service Account
serviceAccount:
create: true
name: falco
# Node selector to run on all nodes
nodeSelector: {}
# Tolerations to run on all nodes including masters
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
# Run as DaemonSet on all nodes
daemonset:
updateStrategy:
type: RollingUpdate
# Priority class
priorityClassName: ""
# Extra environment variables
extraEnvVars: []
# Extra volumes
extraVolumes: []
extraVolumeMounts: []

6
falco/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# ArgoCD Application 리소스는 root kustomization.yaml에서 관리
# - argocd/falco.yaml