falco-operator

module

v0.2.0 Latest Latest Go to latest Published: Mar 20, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/falcosecurity/falco-operator

Links

Open Source Insights

README ¶

Falco Operator

The Kubernetes-native way to deploy and manage Falco. The Falco Operator transforms Falco from a powerful security tool into a fully integrated Kubernetes security solution, making it more accessible and manageable for teams of all sizes.

Overview

The Falco Operator brings two components that work together:

Falco Operator — Manages the lifecycle of Falco instances (DaemonSet or Deployment mode) and companion components (e.g., k8s-metacollector, falcosidekick, falcosidekick-ui)
Artifact Operator — Manages rules, plugins, and configuration fragments (runs as a native sidecar in each Falco pod)

Five Custom Resource Definitions provide a declarative API:

CRD	API Group	Purpose
`Falco`	`instance.falcosecurity.dev/v1alpha1`	Falco instance lifecycle
`Component`	`instance.falcosecurity.dev/v1alpha1`	Companion components (e.g., k8s-metacollector)
`Rulesfile`	`artifact.falcosecurity.dev/v1alpha1`	Detection rules (OCI, inline, ConfigMap)
`Plugin`	`artifact.falcosecurity.dev/v1alpha1`	Falco plugins from OCI registries
`Config`	`artifact.falcosecurity.dev/v1alpha1`	Configuration fragments (inline, ConfigMap)

Architecture

Falco Operator Architecture

Users only need to install the Falco Operator Deployment. The Artifact Operator is automatically deployed as a native sidecar (Kubernetes 1.29+) alongside each Falco instance. Artifacts are delivered to Falco through shared emptyDir volumes.

For details, see the Architecture documentation.

Quick Start

Install the operator

VERSION=latest
if [ "$VERSION" = "latest" ]; then
  kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/latest/download/install.yaml
else
  kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/download/${VERSION}/install.yaml
fi

Deploy Falco

cat <<EOF | kubectl apply -f -
apiVersion: instance.falcosecurity.dev/v1alpha1
kind: Falco
metadata:
  name: falco
spec: {}
EOF

Add detection rules

cat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Plugin
metadata:
  name: container
  labels:
    app.kubernetes.io/managed-by: falco-operator
spec:
  ociArtifact:
    image:
      repository: falcosecurity/plugins/plugin/container
      tag: latest
    registry:
      name: ghcr.io
---
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Rulesfile
metadata:
  name: falco-rules
spec:
  ociArtifact:
    image:
      repository: falcosecurity/rules/falco-rules
      tag: latest
    registry:
      name: ghcr.io
  priority: 50
EOF

Verify

kubectl get falco
kubectl get rulesfiles,plugins
kubectl logs -l app.kubernetes.io/name=falco -c falco --tail=10

For the complete walkthrough, see the Getting Started guide.

Documentation

Document	Description
Installation	Prerequisites, install, upgrade, uninstall
Getting Started	Step-by-step deployment guide
Architecture	Components, interactions, design
CRD Reference	Full reference for all Custom Resources
Configuration	Defaults and customization
Migration Guide	Upgrade from v0.1.x to v0.2.0
Contributing	Development, testing, PR guidelines

Key Features

Declarative management — Define Falco deployments, rules, plugins, and configuration as Kubernetes Custom Resources
Multiple deployment modes — DaemonSet for cluster-wide monitoring, Deployment for plugin-only workloads
Flexible artifact sources — OCI registries, inline YAML, and Kubernetes ConfigMaps
Priority-based ordering — Deterministic application of rules and configuration
Node targeting — Apply different artifacts to different nodes via label selectors
Reference protection — Finalizers prevent accidental deletion of referenced Secrets and ConfigMaps
Enhanced observability — Kubernetes events and status conditions across all controllers
Server-Side Apply — Conflict-free reconciliation with ownership tracking
Multi-instance support — Run multiple Falco instances in the same cluster
Full pod customization — Override any aspect of the Falco pod via podTemplateSpec

License

This project is licensed to you under the Apache 2.0 license.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
api
artifact/v1alpha1 Package v1alpha1 contains API Schema definitions for the artifact v1alpha1 API group.	Package v1alpha1 contains API Schema definitions for the artifact v1alpha1 API group.
common/v1alpha1 Package v1alpha1 contains common types used across apis.	Package v1alpha1 contains common types used across apis.
instance/v1alpha1 Package v1alpha1 contains API Schema definitions for the instance v1alpha1 API group.	Package v1alpha1 contains API Schema definitions for the instance v1alpha1 API group.
cmd
artifact command Package main is the entrypoint for the artifact-operator binary.	Package main is the entrypoint for the artifact-operator binary.
instance command Package main is the entrypoint for the instance-operator binary.	Package main is the entrypoint for the instance-operator binary.
controllers
artifact/config Package config defines the config controller logic.	Package config defines the config controller logic.
artifact/plugin Package plugin defines the plugin controller logic.	Package plugin defines the plugin controller logic.
artifact/rulesfile Package rulesfile defines the rulesfile controller logic.	Package rulesfile defines the rulesfile controller logic.
instance/component Package component defines the component controller logic.	Package component defines the component controller logic.
instance/falco Package falco defines falco's controllers logic.	Package falco defines falco's controllers logic.
instance/reference/configmap Package configmap implements the ConfigMap in-use protection controller.	Package configmap implements the ConfigMap in-use protection controller.
instance/reference/secret Package secret implements the Secret in-use protection controller.	Package secret implements the Secret in-use protection controller.
testutil Package testutil provides shared test helpers for controller tests.	Package testutil provides shared test helpers for controller tests.
internal
pkg/artifact Package artifact provides the logic to store artifacts to the local filesystem.	Package artifact provides the logic to store artifacts to the local filesystem.
pkg/builders Package builders provides utility functions for building Kubernetes objects.	Package builders provides utility functions for building Kubernetes objects.
pkg/common Package common provides common utilities for the application.	Package common provides common utilities for the application.
pkg/controllerhelper Package controllerhelper contains common helper for controllers.	Package controllerhelper contains common helper for controllers.
pkg/credentials Package credentials contains the logic to manage credentials for accessing remote registries.	Package credentials contains the logic to manage credentials for accessing remote registries.
pkg/filesystem Package filesystem provides a filesystem interface and implementations	Package filesystem provides a filesystem interface and implementations
pkg/image Package image contains helper functions for images.	Package image contains helper functions for images.
pkg/index Package index defines field indexes for artifact CRDs.	Package index defines field indexes for artifact CRDs.
pkg/instance Package instance provides shared logic for instance controllers (Falco, Metacollector).	Package instance provides shared logic for instance controllers (Falco, Metacollector).
pkg/managedfields Package managedfields provides utilities for extracting and comparing Kubernetes objects based on their managed fields for Server-Side Apply.	Package managedfields provides utilities for extracting and comparing Kubernetes objects based on their managed fields for Server-Side Apply.
pkg/mounts Package mounts provides the logic for mounting volumes to a container.	Package mounts provides the logic for mounting volumes to a container.
pkg/oci/client Package client contains the logic to interact with the OCI registry.	Package client contains the logic to interact with the OCI registry.
pkg/oci/puller Package puller provides a way to pull OCI images from a registry.	Package puller provides a way to pull OCI images from a registry.
pkg/priority Package priority provides logic to extract and validate the priority of an artifact.	Package priority provides logic to extract and validate the priority of an artifact.
pkg/resources Package resources provides instance default configurations and resource generators for all supported controller types.	Package resources provides instance default configurations and resource generators for all supported controller types.
pkg/scheme
pkg/version Package version provides version information for the build.	Package version provides version information for the build.
test
utils Package utils defines helper functions used to write tests.	Package utils defines helper functions used to write tests.