Deploy on Kubernetes

Learn how to deploy Falco on Kubernetes with Helm

Falco consumes streams of events and evaluates them against a set of security rules to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This default installation scenario will add Falco to all nodes in your cluster using a DaemonSet. This scenario requires Falco to be privileged, and depending on the kernel version installed on the node, a driver will be installed on the node.

For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.

The recommended way to deploy Falco on a Kubernetes cluster is to use the provided Helm chart. The official Falco charts repository is hosted at:

If needed, you can consult the Installing Helm guide for information about how to download and install Helm. Before deploying Falco on Kubernetes, ensure you can access the targeted cluster running with Linux nodes, either x86_64 or ARM64. Also, you will need to have kubectl and helm installed and configured.

Alternatively, Falco can be installed in Kubernetes without Helm by providing manifest files and deploying them to your cluster. For details, see the example here.

Install

First, add the Helm repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Then install Falco:

helm install --replace falco --namespace falco --create-namespace --set tty=true falcosecurity/falco

And check that the Falco pods are running:

kubectl get pods -n falco

Falco pod(s) might need a few seconds to start. Wait until they are ready:

kubectl wait pods --for=condition=Ready --all -n falco

Configuration

When deploying Falco via Helm, you will use Helm values to pass the Falco configuration. For further details, see the Falco Helm Chart documentation.

Upgrade

If you wish to upgrade Falco to a new version, you need to find the corresponding version in the Falco Helm Chart repository (e.g., 4.8.1 is for Falco 0.38.2) then run:

helm upgrade falco -n falco --version 4.8.1

To avoid any possible disruption, before upgrading to a new version, consult the Falco Helm chart Breaking Changes page.

Uninstall

If you wish to remove Falco from your cluster, you can simply run:

helm uninstall falco -n falco