Specific Environments
GKE
Google Kubernetes Engine (GKE) uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS. Because of this security constraint, Falco cannot insert its Kernel Module to process events for system calls. However, COS provides the ability to leverage eBPF (extended Berkeley Packet Filter) to supply the stream of system calls to the Falco engine.
To use Falco on GKE, you need to deploy using one of the two available eBPF drivers. The Modern eBPF is the default driver for Falco 0.38.0 and later, so no further action is required in this case. If your system does not support the modern eBPF driver, you can use the legacy eBPF probe driver.
gVisor
Falco offers native support for gVisor. A specific configuration is necessary to integrate Falco with gVisor seamlessly. For detailed instructions, refer to the gVisor Event Source documentation.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
