Falco drivers on kubernetes clusters

Hi there,

On DigitalOcean Kubernetes the easiest and most current way to run Falco is to use the official Falco Helm chart, which I believe deploys Falco as a DaemonSet across all nodes.

Install it like this:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
  --namespace falco \
  --create-namespace \
  --set tty=true

Falco needs a driver to capture kernel events. On managed clusters like DOKS, you normally rely on the eBPF driver, since you can’t load custom kernel modules on the nodes. The Helm chart will try to use eBPF automatically. If the driver init fails on your specific Kubernetes version, Falco’s docs outline the available driver options and troubleshooting steps.

You can find the full installation guide and driver details here:

Falco Kubernetes setup: https://falco.org/docs/setup/kubernetes/

Falco Helm chart: https://github.com/falcosecurity/charts/tree/master/charts/falco

Installing the Falco drivers in your Kubernetes cluster at DigitalOcean involves a number of steps:

1. First, you need to ensure you have Helm installed, as you would need it to install Falco.
2. Next, you would add the falcosecurity chart repo using the command: helm repo add falcosecurity https://falcosecurity.github.io/charts
3. Then just update the charts repo with: helm repo update
4. You can then install the Falco chart with the command: helm install falco falcosecurity/falco

Remember, with DigitalOcean Kubernetes (DOKS), you would be using the eBPF probe backend instead of compiling a kernel module. You will need to configure Falco accordingly.

For further details, please consult our Kubernetes documentation at DigitalOcean, as well as the Falco driver’s documentation.

Hope that this ghel