Detect CVE-2020-8557 using Falco

CVE-2020-8557 is a medium-severity vulnerability in Kubernetes that affects the kubelet component, allowing a denial of service (DoS) attack by exploiting the /etc/hosts file in containers. The vulnerability arises because the kubelet eviction manager does not account for the /etc/hosts file when calculating ephemeral storage usage. This oversight can be exploited by writing excessive data to the file, potentially filling the storage space and causing node failure. Falco, an open-source runtime threat detection tool for containers and Kubernetes, can detect exploitation attempts of CVE-2020-8557 by monitoring file write activities in the /etc directory, including the /etc/hosts file. Falco uses customizable rules to generate security events upon detecting abnormal behaviors. To mitigate the threat, an AppArmor profile can be applied to prevent write access to the /etc/hosts file while allowing most other container activities. It is advised to implement this mitigation strategy before upgrading Kubernetes to ensure protection against this vulnerability.