Production-ready observability stack for kind-devops-lab cluster: Loki (log aggregation) + Falco (runtime security).
This repo is separate from the main devops-lab-repo to keep concerns clean and allow reuse across clusters.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β kind-devops-lab Cluster β
β β
β ββββββββββββββββββ ββββββββββββββββββββ β
β β All Pods β β All Nodes β β
β β (all ns) β β β β
β ββββββββββ¬ββββββββ ββββββββββ¬ββββββββββ β
β β β β
β β β β
β ββββββββββΌβββββββββββββββββββββββββΌβββββββββββ β
β β Promtail DaemonSet β β
β β (Scrapes /var/log/pods/*) β β
β ββββββββββ¬ββββββββββββββββββββββββββββββββββ¬ββ β
β β β β
β β Logs (HTTP push) β β
β β β β
β ββββββββββΌβββββββββββββββββββββββββββββββββββΌβββ β
β β Loki StatefulSet β β
β β β’ Stores in PVC (5Gi default) β β
β β β’ Queryable via LogQL β β
β β β’ Integration with Grafana β β
β βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββ β
β β β β
β βββββββββββΌβββββββββββ ββββββββββββΌββββββββββ β
β β Falco DaemonSet β β Prometheus Scrape β β
β β β’ Monitors sycallsβ β β’ Loki metrics β β
β β β’ Detects anomalies β β’ Falco metrics β β
β β β’ System call rules β β β
β ββββββββββ¬ββββββββββββ ββββββββββββ¬ββββββββββ β
β β β β
β β Metrics (port 5555) β β
β ββββββββββββ¬ββββββββββββββββ β
β β β
β ββββββββββββΌββββββββββββ β
β β Prometheus β β
β β (monitoring ns) β β
β ββββββββββββ¬ββββββββββββ β
β β β
β ββββββββββββΌββββββββββββ β
β β Grafana β β
β β (monitoring ns) β β
β β β’ Logs (Loki) β β
β β β’ Metrics (Prom) β β
β β β’ Alerts β β
β ββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
kind-devops-labcluster running- ArgoCD installed (or Flux if you prefer)
kubectl,kustomize,argocd(orflux) in PATH
ββββββββββββββββββββββββββββββββββββββββββββββββ
β Deployment Flow β
ββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Option A: ArgoCD (Recommended) β
β ββββββββββββββββββββββββββββββββββββββββββ β
β β $ ./deploy.sh --mode argocd β β
β β β β
β β 1. Creates Loki Application β β
β β 2. Creates Falco Application β β
β β 3. ArgoCD watches Git repo β β
β β 4. Auto-syncs on push β β
β ββββββββββββββββββββββββββββββββββββββββββ β
β β
β Option B: Flux (Learning) β
β ββββββββββββββββββββββββββββββββββββββββββ β
β β $ export GITHUB_USER=simonjday β β
β β $ export GITHUB_TOKEN=ghp_xxx β β
β β $ ./deploy.sh --mode flux β β
β β β β
β β 1. Bootstraps Flux in flux-system ns β β
β β 2. Creates GitRepository CR β β
β β 3. Creates Kustomization CRs β β
β β 4. Continuous reconciliation β β
β ββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββ
Verify:
# Check status
argocd app list | grep -E "loki|falco"
kubectl get pods -n observability
kubectl get pods -n falco
# Port-forward and query
kubectl port-forward -n observability svc/loki 3100:3100 &
curl http://localhost:3100/loki/api/v1/labelsdevops-lab-observability/
β
βββ observability/loki/ # Log aggregation
β βββ loki-stack.yaml # β Loki StatefulSet
β βββ kustomization.yaml # β Promtail DaemonSet
β
βββ security/falco/ # Runtime security
β βββ falco.yaml # β Falco DaemonSet
β βββ kustomization.yaml # β Custom rules
β
βββ overlays/ # Environment configs
β βββ dev/ # β’ 2Gi, 256Mi, 3 days
β β βββ kustomization.yaml
β βββ staging/ # β’ 10Gi, 512Mi, 7 days
β β βββ kustomization.yaml
β βββ prod/ # β’ 50Gi, 2Gi, 30 days (HA)
β βββ kustomization.yaml
β
βββ flux-system/ # Flux CD config (optional)
β βββ flux-config.yaml # GitRepository + Kustomizations
β
βββ kustomization.yaml # Root orchestrator
βββ deploy.sh # Deployment script
βββ README.md # This file
βββ docs/ # Documentation
βββ GITOPS_INTEGRATION_GUIDE.md
βββ QUICK_REFERENCE.md
βββ SETUP_INSTRUCTIONS.md
βββ ...
Pod Logs System Calls
β β
βΌ βΌ
βββββββββββββββ ββββββββββββββββ
β Promtail β β Falco β
β DaemonSet β β DaemonSet β
ββββββββ¬βββββββ βββββββββ¬βββββββ
β β
β HTTP Push β Metrics (5555)
β β
ββββββββββββ¬βββββββββββ
β
βββββββββΌβββββββββ
β Loki β
β StatefulSet β
βββββββββ¬βββββββββ
β
βββββββββββ΄βββββββββββ
β β
Metrics LogQL Queries
β β
ββββββββββββ¬ββββββββββ
β
ββββββββββΌββββββββββ
β Prometheus β
β Grafana β
β AlertManager β
ββββββββββββββββββββ
βββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββ
β Aspect β Dev β Staging β Prod β
βββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββ€
β Storage β 2Gi β 10Gi β 50Gi β
β Memory β 256Mi β 512Mi β 2Gi β
β CPU β 100m β 200m β 500m β
β Retention β 3 days β 7 days β 30 days β
β Log Level β debug β info β warn β
β Replicas β 1 β 1 β 3 β
β HA Mode β No β No β Yes β
βββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββ
# Start port-forward
kubectl port-forward -n observability svc/loki 3100:3100 &
# Query labels
curl http://localhost:3100/loki/api/v1/labels
# Query logs (all from default namespace)
curl -G -s http://localhost:3100/loki/api/v1/query_range \
--data-urlencode 'query={namespace="default"}' \
--data-urlencode 'start=0' \
--data-urlencode 'end=9999999999' | jq .Grafana β Configuration β Data Sources β Add Loki
URL: http://loki.observability.svc.cluster.local:3100
β
Explore β select Loki
β
Query Logs (LogQL)
System Calls ββ(eBPF)βββ Falco ββ(Rules)βββ β Allowed / β Alert
(DaemonSet)
β
βββββββββ΄βββββββββ
β β
Logs (stdout) Metrics (5555)
β β
kubectl logs Prometheus
β
Alertmanager
# 1. Deploy test app
kubectl create deployment test-app --image=busybox \
-- sh -c "while true; do echo 'test'; sleep 1; done"
# 2. Wait for logs
sleep 30
# 3. Query in Loki
curl -G -s http://localhost:3100/loki/api/v1/query_range \
--data-urlencode 'query={pod="test-app-xxx"}' \
--data-urlencode 'start=0' \
--data-urlencode 'end=9999999999' | jq '.data.result | length'
# 4. Cleanup
kubectl delete deployment test-app# 1. Trigger shell (test rule)
kubectl exec -it <pod> -n <ns> -- /bin/bash
# 2. Check logs
kubectl logs -n falco -l app=falco -f | grep -i "shell"
# 3. Check metrics
curl http://localhost:5555/metrics | grep falco_alerts_total Git Push
β
βββββββββββββ΄ββββββββββββ
β β
ββββββΌββββββ ββββββΌββββββ
β ArgoCD β β Flux β
β β β β
β β’ Web UI β β β’ CLI β
β β’ Fast β β β’ GitOps β
β β’ Pull β β β’ Push β
β β’ Easy β β β’ Complexβ
ββββββ¬ββββββ ββββββ¬ββββββ
β β
βββββββββββββ¬ββββββββββββ
β
kubectl apply / sync
β
ββββββββββββββββββ΄ββββββββββββββββββ
β β
βββββΌββββββββ βββββββββΌβββ
β Loki β β Falco β
β + Promtailβ β (DaemonSet)
β(StatefulSet) β β
βββββββββββββ ββββββββββββ
Falco DaemonSet Prometheus AlertManager
β β β
ββ System Call Alert β β
β (CRITICAL) β β
β β β
βββ Metrics (5555) β β
β β β
βββ Scrape βββββββ Query β
β β
ββ Rule Match β
β (CRITICAL > 0) β
β β
βββ Fire Alert ββββ Slack / PagerDuty / Email
β
β On-Call Notified
START HERE
β
βββ SETUP_INSTRUCTIONS.md
β (Step-by-step for your repos)
β
βββ REPO_STRUCTURE.md
β (What files go where)
β
βββ AUTOMATED_SETUP_GUIDE.md
β (Using setup-repo.sh)
β
βββ GITOPS_INTEGRATION_GUIDE.md
β (Full technical reference)
β
βββ KUSTOMIZATION_GUIDE.md
β (Kustomize deep dive)
β
βββ QUICK_REFERENCE.md
(Commands cheat sheet)
- Set it up:
./setup-repo.sh .or manual copy of files - Deploy:
./deploy.sh --mode argocd - Verify:
kubectl get pods -n observability -n falco - Customize: Edit overlays for your environment
- Integrate: Add Loki datasource to Grafana
- Alert: Route Falco alerts to Slack/PagerDuty
See documentation in this repo for comprehensive guides:
GITOPS_INTEGRATION_GUIDE.mdβ Full technical referenceKUSTOMIZATION_GUIDE.mdβ Kustomize deep diveQUICK_REFERENCE.mdβ Commands cheat sheet
- devops-lab-repo β Main platform (Bifrost, Kubecost, Kyverno, etc.)
Questions? Check the documentation files or see repo About section.