Falco founder: Kubernetes security has to do better than “don’t worry – OH MY GOD”

sysdig monitor

It’s almost a year since Sysdig’s behavioral activity monitoring tool Falco entered the sandbox of the Cloud Native Computing Foundation (CNCF). We talked to the company’s new chief open source advocate Kris Nova and co-founder Loris Degioanni to check in about the project’s progress and talk about the state of Kubernetes security and open source licensing in general.

Falco was first introduced to the public back in May 2016. It’s no secret that security wasn’t exactly a top priority when Kubernetes was developed, so Falco was set up to tackle some of the challenges the orchestrator introduced to the modern infrastructure stack.

“Orchestration and containerisation technologies such as Kubernetes are extremely powerful and work beautifully when they work,” Degioanni explains “but very often they tend to increase opaqueness and make it harder to see what is actually happening, because of the complexity of all the moving parts”. The other issue, although this might sound strange at first, is the open nature of the Kubernetes ecosystem. 

“Kubernetes is designed from the beginning by a set of players that decided to create it in a way that is completely open source and community based,” Degioanni continues. “At the same time, security still tends to be largely vendor-based and proprietary. The early approaches to Kubernetes security were mostly proprietary vendors with commercial tools that were closed source.”

Advertisement

When Falco started to gain traction, the project’s focus started to shift slightly, in order to accommodate the needs of the community. “I’ve been very fond of thinking of Falco as a security kernel for Kubernetes” Nova says of the new direction.

Moving the project into the CNCF in October 2018 was the logical next step for Degioanni. “In order to be cloud-native and to actually be placed as a part of the stack of the next generation of infrastructures, you want to be part of the CNCF nowadays.”

But the foundation has strict rules on what projects must do to make it to the next stage, so the first months in the sandbox were mostly spent setting up processes and work on Falco’s own infrastructure. With Nova, who spent quite some time on the Kubernetes project, now on board, this trajectory is likely to continue.

The course of action to drive the open development of Falco for example is going to be more in line with what is done at the CNCF’s flagship product. “We have weekly calls on Wednesday that we would like to start inviting folks to,” Nova says. “In general all of our decisions will be made in a public forum in the same spirit of Kubernetes and how we did things there.” 

This doesn’t mean, however, that there won’t be any new features to look forward to in the next couple of months. “I think we’re going to do 50 per cent feature work and 50 per cent infrastructure/process work” Nova reassures. “The next big exciting feature we’re working on right now is a gRPC interface for Falco and we hope to have a Go implementation that we can advertise openly as well.”

While open source seems like the way to go for many companies, the model has been under more scrutiny than usual this year, with cloud vendors forking projects to “protect users from unclear conditions” and some projects changing their licensing to something less permissive to make repackaging harder.

Sysdig, however, had to go into the opposite direction with Falco. “This happened when we joined the CNCF,” Degioanni says “because for historical reasons our open source was based on the GPL license and we switched to the Apache License which is much more open and liberal for the users.”

Asked if he was worried about bigger players’ approach to making use of Sysdig’s projects, Degioanni smirks: “I’ve done open source for almost a decade now, and personally my approach has always been slightly different. Instead of creating open source projects and then building a business on mostly support and licensing for these projects, I always try to build situations where you create a thriving community and give a lot to the community, but at the same time there is a space to essentially build a commercial project on top of that.” 

He considers cloud providers simply as “partners” who’ll introduce new users to Sysdig’s offerings and approaches them accordingly. “Of course we’d like for them to give us credit, but they don’t have to – if they do it, it will expose users to the power of our technology and our bet is that will be good for us. It essentially creates a batch of faithful users that will then be interested to look into our suite of commercial products.”

In terms of Falco, Nova sees parallels with the Linux kernel. “The Linux kernel is an open source project, it’s widely adopted, used in the enterprise and in production. It’s got a lot of eyeballs on it. But there are very unique implementation of the operating system on top of the kernel. I think Sysdig Secure and our other products are an example of implementing Falco as a kernel and using it to our advantage.” 

“In a perfect world we would get as many folks as possible interacting with Falco, they’re going to come up with their own ideas, start to draft their own creativity, start to pull Falco in as the engine, and using that to their own implementation.”

Chances for that are good right now, because thanks to Kubernetes maturing and its adoption rates soaring, security projects associated with the container orchestrator have gained quite some interest in the last couple of months. 

According to Degioanni, this is mainly down to the project making its way out of the labs and into production, which means it isn’t strictly for engineers anymore. “We went through a couple of years of a lot of people looking into it and lots of companies kicking tires with it. But the deployments have been largely in the lab, maybe for CI/CD or to run second tier applications that were not critical for the company.”

While trying things out and just getting something to work was fine before, now platform owners and security teams step in, putting security on the top of engineer’s to do lists. “I almost feel like the adoption of security for something as new as Kubernetes is more like a step,” Degioanni muses, “it’s like “okay, okay, okay, don’t worry, don’t worry, don’t worry, OH MY GOD”. 

Nova adds “Usually when engineers approach solving a problem, the way they think is: make it work, make it fast, make it secure. I think we’re at that phase in the Kubernetes lifecycle, where Kubernetes is effectively complete and we’re now able to circle back around and start looking at things like security. We’re starting to give Kubernetes a second pass from an engineering perspective and I think that’s why tools like Falco are beginning to become popular and see adoption in upstream open source – just simply because we didn’t have the time and the resources to do it until now.”

- Advertisement -