Zarf - Airgap deployment in kubernetes

Zarf is a free and open-source tool that enables declarative creation & distribution of software into air-gapped/constrained/standalone environments.
Zarf provides a way to package and deploy software in a way that is repeatable, secure, and reliable.

Install Zarf CLI

ZARF_VERSION=$(curl -sIX HEAD https://github.com/zarf-dev/zarf/releases/latest | grep -i ^location: | grep -Eo 'v[0-9]+.[0-9]+.[0-9]+')

curl -sL "https://github.com/zarf-dev/zarf/releases/download/${ZARF_VERSION}/zarf_${ZARF_VERSION}_Linux_amd64" -o zarf
chmod +x zarf

Download init package

When init this will deploy a registry and a couple more pods into the destination cluster

zarf tools download-init
zarf init --confirm

In this guide we will deploy falco for real time threat detection in kuberentes, config files are an example. Adapt to your needs.

Create a file zarf.yaml with the following data, images can be found with a command later on this guide

kind: ZarfPackageConfig
metadata:
  name: falco
  version: 4.20.1
  description: |
    "A Zarf Package that deploys Falco Security for real time runtime threat detection"
components:
  - name: falco
    description: |
      "Deploys the falcosecurity falco chart into the cluster"
    required: true
    charts:
      - name: falco
        url: https://falcosecurity.github.io/charts
        version: 4.20.1
        namespace: falco
        valuesFiles:
          - values.yaml
    images:
      - docker.io/falcosecurity/falco-driver-loader:0.40.0
      - docker.io/falcosecurity/falco:0.40.0-debian
      - docker.io/falcosecurity/falcoctl:0.11.0
      # Cosign artifacts for images - falco - falco
      - index.docker.io/falcosecurity/falco-driver-loader:sha256-8bb7b51adf6598c5d9c90d2f3e55724212e6282afbd26f0ba428db9c0c417fbf.sig
      - index.docker.io/falcosecurity/falco:sha256-bfa486ca137359e90401f6121e52065e99bff44a949c02229fd0df467386fcaa.sig
      - index.docker.io/falcosecurity/falcoctl:sha256-4b590b9c49a881a55f6c3121c235057951418d726a9c43c4e1dbe3a5fcf358d3.sig
      - index.docker.io/falcosecurity/falcoctl:sha256-4b590b9c49a881a55f6c3121c235057951418d726a9c43c4e1dbe3a5fcf358d3.att

This command will output the list of images to include into zarf.yaml

zarf dev find-images

Generate a values.yml with the configuration you need, in this example I'm adding a custom rule for testing

customRules:
  custom-rules.yaml: |-
    - rule: id_usage
      desc: id usage
      condition: >
        evt.type = execve and
        evt.dir = < and
        container.id != host and 
        proc.name = id    
      output: >
        id command is used 
        (user=%user.name container_id=%container.id container_name=%container.name 
        shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)    
      priority: CRITICAL

Validate there is no errors in the config files.

zarf dev lint .

Generate a tar file with the images and config

zarf package create . --confirm

Deploy the package into the cluster, this will push images into local registry and invoke helm to deploy the resources in the chart.

zarf package deploy zarf-package-falco-amd64-4.20.1.tar.zst  --confirm

PreviousFalco real time runtime thread detection on k8s NextOWASP Dependency-track

Last updated 11 months ago