Deploy on Kubernetes
Falco consumes streams of events and evaluates them against a set of security rules to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This default installation scenario will add Falco to all nodes in your cluster using a DaemonSet. This scenario requires Falco to be privileged, and depending on the kernel version installed on the node, a driver will be installed on the node.
For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.
The recommended way to deploy Falco on a Kubernetes cluster is to use the provided Helm chart. The official Falco charts repository is hosted at:
If needed, you can consult the Installing Helm guide for information about how to download and install Helm. Before deploying Falco on Kubernetes, ensure you can access the targeted cluster running with Linux nodes, either x86_64 or ARM64. Also, you will need to have kubectl and helm installed and configured.
Alternatively, Falco can be installed in Kubernetes without Helm by providing manifest files and deploying them to your cluster. For details, see the example here.
Install
First, add the Helm repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
Then install Falco:
helm install --replace falco --namespace falco --create-namespace --set tty=true falcosecurity/falco
And check that the Falco pods are running:
kubectl get pods -n falco
Falco pod(s) might need a few seconds to start. Wait until they are ready:
kubectl wait pods --for=condition=Ready --all -n falco
Configuration
When deploying Falco via Helm, you will use Helm values to pass the Falco configuration. For further details, see the Falco Helm Chart documentation.
Upgrade
If you wish to upgrade Falco to a new version, you need to find the corresponding version in the Falco Helm Chart repository (e.g., 4.8.1
is for Falco 0.38.2
) then run:
helm upgrade falco -n falco --version 4.8.1
To avoid any possible disruption, before upgrading to a new version, consult the Falco Helm chart Breaking Changes page.
Uninstall
If you wish to remove Falco from your cluster, you can simply run:
helm uninstall falco -n falco
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.