Skip to main content

Monitor honeypods

Big picture

Monitor honeypod behavior to gain insight on what attackers are doing using packet-level inspection.


Adding monitoring to honeypods improves your ability to detect and confirm known threats by analyzing and alerting on network traffic to honeypods that match any Intrusion Detection System (Snort) signatures.


This how-to guide uses the following Calico Cloud features:

  • PacketCapture with Honeypod controller


About monitoring honeypods

Honeypods can optionally be monitored using a Calico Cloud controller that periodically polls selected honeypods for suspicious activity and scans its traffic. Alerts are generated in the Events tab of Calico Cloud Manager UI.

The controller leverages the following:

Before you begin


Honeypods are configured for clusters, and alerts are generated when the honeypods are accessed.

How To

Enable packet capture on honeypods

The following manifest enables packet capture on default honeypods. Be sure to modify the namespace and selector if honeypods are placed elsewhere. For help, see PacketCapture.

kubectl create -f - <<EOF
kind: PacketCapture
name: capture-honey
namespace: tigera-internal
selector: all()

In order for the honeypod controller to find the packet captures, the name capture-honey is required for the PacketCapture resource.

Add honeypod controller to cluster


If you’ve customized or created your own honeypods, be sure to modify the included capture-honey PacketCapture manifest to target your honeypods.

Add the honeypod controller to each cluster configured for honeypods using the following command:

kubectl apply -f

For OpenShift deployments, the controller requires privileged access:

kubectl apply -f

Add custom Snort rules

You can add custom Snort rules to the controller using a ConfigMap. By default, Calico Cloud uses the Snort Community Ruleset.

The following manifest provides the method to add individual custom signatures:

kubectl create -f - <<EOF
apiVersion: v1
kind: ConfigMap
name: localrule
namespace: tigera-intrusion-detection
rules: |
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:1000000;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:1000001;)

Refer to Snort Users Manual for writing Snort signatures.

To add a Snort-compatible ruleset file:

kubectl create cm localrule -n tigera-intrusion-detection --from-file=rules=<SNORT-RULESET-LOCATION>

The size limit for ConfigMaps is 1 MiB. If more space is required, use an alternative method to mount the volume.

Update the controller deployment to include the ConfigMap. Important! The mountPath /etc/snort/rules/custom.rules is required and the path cannot be changed.

cat <<EOF > patch.yaml
- name: controller
- mountPath: /etc/snort/rules/custom.rules
subPath: custom.rules
name: custom-rules
readOnly: true
- name: custom-rules
name: localrule
- key: "rules"
path: "custom.rules"

Apply the patch to the honeypod-controller DaemonSet:

kubectl patch daemonset honeypod-controller -n tigera-intrusion-detection --patch "$(cat patch.yaml)"

Verify the honeypod controller

To verify the installation, ensure that honeypod controller is running within the tigera-intrusion-detection namespace:

kubectl get pods -n tigera-intrusion-detection
NAME                                             READY   STATUS      RESTARTS   AGE
honeypod-controller-57vwk 1/1 Running 0 22s
honeypod-controller-8vtj6 1/1 Running 0 22s
honeypod-controller-gk524 1/1 Running 0 22s
honeypod-controller-k9nz4 1/1 Running 0 22s
intrusion-detection-controller-bf9794dd7-5qxjs 1/1 Running 0 15m
intrusion-detection-es-job-installer-nfd7t 0/1 Completed 0 15m

As an example, to trigger an alert for the example custom signature, first get the Pod IP for one of the honeypods:

kubectl get pod tigera-internal-app-57vwk -n tigera-internal -ojsonpath='{.status.podIP}'

Then run a busybox container with the command ping on the honeypod IP:

kubectl run --restart=Never --image busybox ping-runner -- ping -c1 <honeypod IP>

An alert will be generated for honeypod-controller.snort with the example custom signature.

Additional resources