Kubernetes Security With Falco

Comprehensive runtime security for your containers with a hands-on demo

Gaurav Agarwal
Oct 23 · 4 min read
View of nature from inside a tent
View of nature from inside a tent
Photo by Dominik Jirovský on Unsplash.

Falco is an open source runtime security tool that can help you to secure a variety of environments. Sysdig created it and it has been a CNCF project since 2018. Falco reads real-time Linux kernel logs, container logs, Kubernetes logs, etc. against a powerful rules engine to alert users of malicious behaviour.

It is particularly useful for container security — especially if you are using Kubernetes to run them — and it is now the de facto Kubernetes threat detection engine. It ingests Kubernetes API audit logs for runtime threat detection and to understand application behaviour.

It also helps teams understand who did what in the cluster, as it can integrate with Webhooks to raise alerts in a ticketing system or a collaboration engine like Slack.

Falco works by using detection rules that define unexpected behaviour. Though it comes with its own useful default rules, you can extend them to define custom rules to harden your cluster further.

So, some things that Falco can detect are the following:

  • Opening of a shell session from a container
  • Host path volume mount
  • Reading secret and sensitive files such as
  • A new package installation in a running container
  • A new process spawned from a container that is not a part of CMD
  • Opening of a new port or unexpected network connection
  • Creating a privileged container
  • and much more…

All these features make it particularly useful to understand less about whether you have the appropriate security in place and more to ensure you know when there is a potential breach so that you can stop it before something terrible happens. Falco, therefore, complements the existing Kubernetes native security measures such as RBAC and Pod Security Policies that help in preventing issues rather than detecting them.

There are multiple ways of running Falco within a Kubernetes cluster. You can install Falco in every Kubernetes node, bake Falco as a second container in the pod, or you can use a Daemon Set to inject a Falco pod in them.

Using a DaemonSet is a better and more flexible option, as it requires the least amount of changes in the Dev function and also does not take a toll on the Ops function as the first option requires. Also, it is Kubernetes-native, so it is the preferred way.

Going Hands-On

Let’s now go hands-on and see Falco in action. For the prerequisites, you need a running Kubernetes cluster.

Install Helm

Helm is the package manager for Kubernetes, and it helps a lot if you have it installed. We will install Falco using a Helm chart, so we need to install Helm first in our cluster. Ignore the step below if you have already installed Helm in your cluster.

Installing Helm is simple. Download the latest package for your OS, untar it, and move it to your path:

Install Falco

Now let’s install Falco using the official Helm chart.

Add the Helm repo first and update the repo:

Now, let’s install Falco using the Helm chart:

Helm spins up a Falco DaemonSet, and we should see a Falco pod in every node. Let’s get the pods to find out:

Congratulations! We have successfully installed Falco and it is running on all nodes.


Time for some testing! We’ll create an NGINX pod and try to do several activities that we wouldn’t normally do.

Create an NGINX pod:

Now let’s get the pods to see on which node it has launched:

As we know, the NGINX pod is present in the kind-worker node. The corresponding Falco pod is .

Let’s open a duplicate window and do the following in the left-hand window whilst tailing the Falco container logs using in the right-hand window:

  • Launch a shell on the NGINX container.
  • Cat a sensitive file .
  • Exit from shell.
Testing on an NGINX pod
Testing on an NGINX pod

As you can see, logs appear in the right-hand window whenever we do activities that are a potential security breach.

You can also export these logs to a monitoring tool like Prometheus or Grafana, and you can trigger a webhook to Slack for immediate notification as well.


Falco is a prevalent runtime security tool for Kubernetes, and I recommend using it in all environments — especially production. A useful feature is that you can also modify the rules to suit your requirements, and therefore, you can save yourself from a lot of false alerts.

Thanks for reading! I hope you enjoyed the article!

Better Programming

Advice for programmers.

Thanks to Zack Shapiro

Gaurav Agarwal

Written by

Certified Kubernetes Administrator | Cloud Architect | DevOps Enthusiast | Connect @ https://gauravdevops.com | https://freedevtools.net

Better Programming

Advice for programmers.

Gaurav Agarwal

Written by

Certified Kubernetes Administrator | Cloud Architect | DevOps Enthusiast | Connect @ https://gauravdevops.com | https://freedevtools.net

Better Programming

Advice for programmers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store