chris/amarth
Archived
1
0
Fork 0
Code Issues 30 Pull requests Projects 1 Releases Packages Wiki Activity Actions

Deploy Falco for runtime detection and Kyverno for admission policies #55

New issue
Open
opened 2025-09-01 14:25:23 +00:00 by chris · 0 comments
chris commented 2025-09-01 14:25:23 +00:00
Owner
Copy link

Description

  • Deploy Falco to detect suspicious container behavior and forward alerts to Loki/Alertmanager.
  • Deploy Kyverno to enforce PodSecurity (deny privileged, hostPath, etc.) and reject non-compliant pods.

Priority: P1
Estimate: 10 hours
Acceptance criteria

  • Kyverno policies applied and block offending pods during tests.
  • Falco detects & alerts on simulated suspicious behavior (e.g., shell exec in webserver container).
Description - Deploy Falco to detect suspicious container behavior and forward alerts to Loki/Alertmanager. - Deploy Kyverno to enforce PodSecurity (deny privileged, hostPath, etc.) and reject non-compliant pods. Priority: P1 Estimate: 10 hours Acceptance criteria - Kyverno policies applied and block offending pods during tests. - Falco detects & alerts on simulated suspicious behavior (e.g., shell exec in webserver container).
chris added this to the E - Hardening, Backups & DR milestone 2025-09-01 14:25:23 +00:00
chris added the
security
runtime
policies
 labels 2025-09-01 14:25:23 +00:00
chris self-assigned this 2025-09-01 14:25:23 +00:00
chris added this to the MVP project 2025-09-03 06:51:58 +00:00
This repository is archived. You cannot comment on issues.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
alerts

   
architecture

   
automation

   
backend

   
backup

   
billing

   
ceph

   
ci

   
consul

   
database

   
design

   
developer-experience

   
disaster-recovery

   
docs

   
forgejo

   
git

   
grafana

   
hardening

   
incident-response

   
infra

   
k3s

   
k8s

   
kubernetes

   
monitoring

   
multi-tenancy

   
networking

   
nix

   
nodes

   
onboarding

   
opentofu

   
ops

   
payments

   
policies

   
portal

   
prometheus

   
prototype

   
repo

   
rook

   
runners

   
runtime

   
secrets

   
security

   
setup

   
storage

   
templates

   
terraform

   
tls

   
ui

   
workflow
No labels
alerts
architecture
automation
backend
backup
billing
ceph
ci
consul
database
design
developer-experience
disaster-recovery
docs
forgejo
git
grafana
hardening
incident-response
infra
k3s
k8s
kubernetes
monitoring
multi-tenancy
networking
nix
nodes
onboarding
opentofu
ops
payments
policies
portal
prometheus
prototype
repo
rook
runners
runtime
secrets
security
setup
storage
templates
terraform
tls
ui
workflow
Milestone
Clear milestone
No items
No milestone
E - Hardening, Backups & DR
Projects
Clear projects
No items
No project
MVP
Assignees
Clear assignees
No assignees
chris
1 participant
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: chris/amarth#55
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?