Falco
Falco provides runtime detection for node and container activity. The repo deploys it as a DaemonSet on all nodes, uses the modern_ebpf driver mode, disables the bulky default rule set, and forwards events to Loki through Falcosidekick.
Responsibility
- Observe runtime events on every node.
- Evaluate Lumie-specific custom rules against those events.
- Forward security events to Loki in JSON format through Falcosidekick.
- Expose Falco and Falcosidekick metrics to Prometheus.
Source paths
| Path | Role |
|---|---|
lumie-infra/security/falco/argocd.yaml | ArgoCD Application targeting namespace falco |
lumie-infra/security/falco/helm-values.yaml | Driver mode, images, custom rules, Falcosidekick, metrics, and controller kind |
Runtime contract
| Surface | Contract |
|---|---|
| Controller kind | daemonset |
| Driver mode | modern_ebpf |
| Primary outputs | stdout from Falco, Loki from Falcosidekick |
| Metrics | serviceMonitor.create: true |
| Web UI | Falcosidekick Web UI disabled |
Rule set
The checked-in rule contract disables the default Falco rules file and keeps only local rules under falco_rules.local.yaml and rules.d. The current custom rules focus on:
- sensitive file access inside containers, including
/etc/shadowand root SSH keys; - interactive break-glass shells started by
sshdon a cluster node outside a container.
Runtime flow
Failure behavior and operational risks
- If
modern_ebpfis unsupported on a node kernel, Falco will fail before rule evaluation starts. - Disabling the default rules lowers noise and CPU cost, but it also narrows coverage to the local rules only.
- Loki outages do not stop runtime detection; they stop downstream event delivery and make security events harder to query.
- Falco needs privileged access patterns that are explicitly excepted from the Kyverno security-context policy.
Observability
- Falco writes structured JSON to stderr for cluster log collection.
- Falcosidekick forwards all priorities to Loki in JSON format.
- Prometheus scrapes both Falco and Falcosidekick through the enabled service monitor settings.
Verification
kubectl get applications.argoproj.io -n argocd falco
kubectl get daemonset -n falco -l app.kubernetes.io/name=falco
kubectl get deploy -n falco -l app.kubernetes.io/name=falcosidekick
kubectl get pods -n falco
kubectl logs -n falco -l app.kubernetes.io/name=falco --all-containers --tail=200
kubectl logs -n falco -l app.kubernetes.io/name=falcosidekick --all-containers --tail=200
Success signals:
- The
falcoArgo CD application isHealthyandSynced. - The Falco DaemonSet reports
READYequal toDESIREDacross cluster nodes. - The Falcosidekick deployment is available in the same namespace.
- Falco logs do not show repeated
modern_ebpfdriver initialization failures, and Falcosidekick logs do not show repeated Loki delivery errors.