Specific Environments
GKE
Google Kubernetes Engine (GKE) uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS. Because of this security constraint, Falco cannot insert its Kernel Module to process events for system calls. However, COS provides the ability to leverage eBPF (extended Berkeley Packet Filter) to supply the stream of system calls to the Falco engine.
To use Falco on GKE, you need to deploy using the Modern eBPF. The Modern eBPF is the default driver for Falco 0.38.0 and later, so no further action is required in this case.
gVisor
The gVisor engine has been deprecated in Falco 0.43.0 and will be removed in a future release. Until removal and since
Falco 0.43.0, using it will result in a warning informing the user about the deprecation. Users are encouraged to
switch to another engine, such as the modern eBPF probe, as the usage will result in an error after the removal.
Falco offers native support for gVisor. A specific configuration is necessary to integrate Falco with gVisor seamlessly. For detailed instructions, refer to the gVisor Event Source documentation.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
