Added Falco with rules for detecting root

apps/falco/configmap.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: falco-config
+  namespace: falco
+data:
+  values.yaml: |
+    tty: true
+    falco:
+      rules_files:
+      - /etc/falco/falco_rules.yaml
+      - /etc/falco/falco_rules.local.yaml
+      # - /etc/falco/falco-incubating_rules.yaml
+      - /etc/falco/rules.d
+    falcoctl:
+      config:
+        artifact:
+          install:
+            rulesfilesDir: /etc/falco
+            refs:
+            - falco-rules:3
+            # - falco-incubating-rules:4
+          follow:
+            rulesfilesDir: /etc/falco
+            refs:
+            - falco-rules:3
+            # - falco-incubating-rules:4
+    falcosidekick:
+      enabled: true
+      webui:
+        enabled: true
+
+    customRules:
+      custom-rules.yaml: |-
+        - macro: container_started
+          condition: >
+            ((evt.type = container or
+            (spawned_process and proc.vpid=1)) and
+            container.image.repository != incomplete)
+        - list: trusted_namespaces
+          items: [capi-addon-system,capi-janitor-system,capi-kubeadm-bootstrap-system,capi-kubeadm-control-plane-system,capi-operator-system,capi-self,capi-system,capo-system,cert-manager,flux-system,kube-node-lease,kube-public,kube-system,node-problem-detector,openstack-system,sealed-secrets-system,intel]
+        - macro: in_trusted_namespace
+          condition: (k8s.ns.name in (trusted_namespaces))
+
+        - rule: Contact K8S API Server From Container # generates a lot of noise, but is it worth having this for some namespaces?
+          enabled: false
+          override:
+            enabled: replace
+
+        - rule: Container Run as Root User # taken from sandbox rules minus exclusions (can add back in later) + higher priority
+          desc: > 
+            Container detected running as the root user. This should be taken into account especially when policies disallow containers from running with 
+            root user privileges. Note that a root user in containers doesn't inherently possess extensive power, as modern container environments define 
+            privileges through Linux capabilities. To learn more, check out the rule "Launch Privileged Container".
+          condition: > 
+            spawned_process 
+            and container 
+            and proc.vpid=1 
+            and user.uid=0 
+            and not in_trusted_namespace
+          output: Container launched with root user privilege (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
+          priority: CRITICAL
+          tags: [maturity_sandbox, container, process, users, mitre_execution, T1610]
+
+        - rule: Privileged Container Started # version in incubating rules seems to trust arbitrary images
+          desc: > 
+            Detect the initial process initiation within a privileged container. 
+          condition: >
+            container_started
+            and container
+            and container.privileged=true
+            and not in_trusted_namespace
+          output: Privileged container started (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
+          priority: CRITICAL
+

apps/falco/helmrelease.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: falco
+  namespace: falco
+spec:
+  interval: 1m
+  chart:
+    spec:
+      chart: falco
+      version: "v4.21.1"
+      interval: 5m
+      sourceRef:
+        kind: HelmRepository
+        name: falco
+  valuesFrom:
+  - kind: ConfigMap
+    name: falco-config

apps/falco/helmrepository.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: falco
+  namespace: falco
+spec:
+  url: https://falcosecurity.github.io/charts
+  interval: 1h

apps/falco/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - namespace.yaml
+  - helmrepository.yaml
+  - helmrelease.yaml
+  - configmap.yaml

apps/falco/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: falco