Specific Environments
GKE
Google Kubernetes Engine (GKE) uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS. Because of this security constraint, Falco cannot insert its Kernel Module to process events for system calls. However, COS provides the ability to leverage eBPF (extended Berkeley Packet Filter) to supply the stream of system calls to the Falco engine.
To use Falco on GKE, you need to deploy using one of the two available eBPF drivers. The Modern eBPF is the default driver for Falco 0.38.0 and later, so no further action is required in this case. If your system does not support the modern eBPF driver, you can use the legacy eBPF probe driver.
K3s
K3s is a lightweight, CNCF certified Kubernetes distribution. It has embedded components like etcd (datastore), CoreDNS, traefik ingress controller, etc., to simplify Kubernetes installation or upgrade.
If you are using K3s with containerd, you should set the CRI settings because the socket path is different from the default setting configured in Falco.
If you install Falco on the host machine:
- Append the parameter
-o container_engines.cri.sockets[]=/run/k3s/containerd/containerd.sockwhen starting the Falco binary.
- Append the parameter
If you install Falco inside K3s with Helm:
- Append the options below when installing with Helm:
--set collectors.containerd.enabled=true --set collectors.containerd.socket=/run/k3s/containerd/containerd.sock
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
