Falco Operator

The Kubernetes-native way to deploy and manage Falco. The Falco Operator transforms Falco from a powerful security tool into a fully integrated Kubernetes security solution, making it more accessible and manageable for teams of all sizes.

Overview

The Falco Operator brings two components that work together:

• Falco Operator — Manages the lifecycle of Falco instances (DaemonSet or Deployment mode) and companion components (e.g., k8s-metacollector, falcosidekick, falcosidekick-ui)
• Artifact Operator — Manages rules, plugins, and configuration fragments (runs as a native sidecar in each Falco pod)

Five Custom Resource Definitions provide a declarative API:

Architecture

Users only need to install the Falco Operator Deployment. The Artifact Operator is automatically deployed as a native sidecar (Kubernetes 1.29+) alongside each Falco instance. Artifacts are delivered to Falco through shared emptyDir volumes.

For details, see the Architecture documentation.

Quick Start

Install the operator

Install with Helm (recommended):

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco-operator falcosecurity/falco-operator \
  --namespace falco-operator \
  --create-namespace

kubectl create namespace falco-operator

VERSION=latest
if [ "$VERSION" = "latest" ]; then
  kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/latest/download/install.yaml
else
  kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/download/${VERSION}/install.yaml
fi

For prerequisites, configuration, upgrade, and uninstall instructions for both methods, see the Installation guide.

Deploy Falco

cat <<EOF | kubectl apply -f -
apiVersion: instance.falcosecurity.dev/v1alpha1
kind: Falco
metadata:
  name: falco
spec: {}
EOF

Add detection rules

cat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Plugin
metadata:
  name: container
  labels:
    app.kubernetes.io/managed-by: falco-operator
spec:
  ociArtifact:
    image:
      repository: falcosecurity/plugins/plugin/container
      tag: latest
    registry:
      name: ghcr.io
---
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Rulesfile
metadata:
  name: falco-rules
spec:
  ociArtifact:
    image:
      repository: falcosecurity/rules/falco-rules
      tag: latest
    registry:
      name: ghcr.io
  priority: 50
EOF

Verify

kubectl get falco
kubectl get rulesfiles,plugins
kubectl logs -l app.kubernetes.io/name=falco -c falco --tail=10

For the complete walkthrough, see the Getting Started guide.

Documentation

Key Features

• Declarative management — Define Falco deployments, rules, plugins, and configuration as Kubernetes Custom Resources
• Multiple deployment modes — DaemonSet for cluster-wide monitoring, Deployment for plugin-only workloads
• Flexible artifact sources — OCI registries, inline YAML, and Kubernetes ConfigMaps
• Priority-based ordering — Deterministic application of rules and configuration
• Node targeting — Apply different artifacts to different nodes via label selectors
• Reference protection — Finalizers prevent accidental deletion of referenced Secrets and ConfigMaps
• Enhanced observability — Kubernetes events and status conditions across all controllers
• Server-Side Apply — Conflict-free reconciliation with ownership tracking
• Multi-instance support — Run multiple Falco instances in the same cluster
• Full pod customization — Override any aspect of the Falco pod via podTemplateSpec

License

This project is licensed to you under the Apache 2.0 license.