image: repository: falcosecurity/falco docker: enabled: true socket: /var/run/docker.sock containerd: enabled: false socket: /run/containerd/containerd.sock # This InitContainer will build eBPF probe for the current AMI version. extraInitContainers: - name: driver-loader image: docker.io/falcosecurity/falco-driver-loader:latest imagePullPolicy: Always volumeMounts: - mountPath: /host/proc name: proc-fs readOnly: true - mountPath: /host/boot name: boot-fs readOnly: true - mountPath: /host/lib/modules name: lib-modules - mountPath: /host/usr name: usr-fs readOnly: true - mountPath: /host/etc name: etc-fs readOnly: true - mountPath: /root/.falco name: driver-fs env: - name: FALCO_BPF_PROBE value: extraVolumes: - name: driver-fs emptyDir: {} extraVolumeMounts: - mountPath: /root/.falco name: driver-fs ebpf: # Enable eBPF support for Falco enabled: true path: settings: # Needed to enable eBPF JIT at runtime for performance reasons. # Can be skipped if eBPF JIT is enabled from outside the container hostNetwork: false auditLog: # true here activates the K8s Audit Log feature for Falco enabled: true falco: # The location of the rules file(s). This can contain one or more paths to # separate rules files. rulesFile: - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules.local.yaml - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d # - /etc/falco/rules.optional.d jsonOutput: true jsonIncludeOutputProperty: true jsonIncludeTagsProperty: true logStderr: true logSyslog: true logLevel: debug priority: debug programOutput: enabled: true keepAlive: false program: "curl -d @- falco-falcosidekick:2801/" falcosidekick: enabled: true replicaCount: 2 service: type: ClusterIP port: 2801 resources: limits: cpu: 100m memory: 512Mi requests: cpu: 15m memory: 96Mi webui: enabled: true service: # type: NodePort type: ClusterIP port: 2802 resources: limits: cpu: 200m memory: 768Mi requests: cpu: 50m memory: 256Mi