Feature request: Container Checkpoint Support

[Elghazali-99]

I would like to suggest adding support for container checkpoint functionality to Falco Talon.

This feature allows saving the state of running containers, which could enhance the capability to perform forensics and investigation on the compromized containers/pods.

This feature has been merged into Kubernetes v1.25.

• https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/
• https://kubernetes.io/docs/reference/node/kubelet-checkpoint-api/

Supports:

• Containerd ( See https://criu.org/Containerd)
• CRI-O ( with flag --enable-criu-support=true )

[Issif]

Good idea, I'll add that to our Todo list. I already thought about it, it requires the runtime to be started with the right flag, it's not always true.

[Issif]

I did some searches, you can correct me if I'm wrong, but here's the results:

• the feature has a lot of requirements:
  • the container runtime must have the feature and be started with it enabled
  • the feature in k8s is behind the feature gate, it requires the kubelet to be started with a specific option
  • criu must be installed on all nodes
• moreover, the checkpoints are stored under /var/lib/kubelet/checkpoints, it means, we have to follow this procedure:
  • trigger the checkpoint with talon
  • wait til the completion
  • start a pod on the exact same node with /var/lib/kubelet/checkpoints mounted from the host
  • use that pod to get the checkpoint and push it to an available output (s3 or minio) for now

Even if it's technically doable, I would prefer to wait this feature to be GA and avoid to spend to much time on it today, and see it totally removed or modified in the future.

wdyt?

cc @IgorEulalio @xinity