The Kubernetes-native way to deploy and manage Falco. The Falco Operator transforms Falco from a powerful security tool into a fully integrated Kubernetes security solution, making it more accessible and manageable for teams of all sizes.
The Falco Operator brings two components that work together:
- Falco Operator — Manages the lifecycle of Falco instances (DaemonSet or Deployment mode) and companion components (e.g., k8s-metacollector, falcosidekick, falcosidekick-ui)
- Artifact Operator — Manages rules, plugins, and configuration fragments (runs as a native sidecar in each Falco pod)
Five Custom Resource Definitions provide a declarative API:
| CRD | API Group | Purpose |
|---|---|---|
Falco |
instance.falcosecurity.dev/v1alpha1 |
Falco instance lifecycle |
Component |
instance.falcosecurity.dev/v1alpha1 |
Companion components (e.g., k8s-metacollector) |
Rulesfile |
artifact.falcosecurity.dev/v1alpha1 |
Detection rules (OCI, inline, ConfigMap) |
Plugin |
artifact.falcosecurity.dev/v1alpha1 |
Falco plugins from OCI registries |
Config |
artifact.falcosecurity.dev/v1alpha1 |
Configuration fragments (inline, ConfigMap) |
Users only need to install the Falco Operator Deployment. The Artifact Operator is automatically deployed as a native sidecar (Kubernetes 1.29+) alongside each Falco instance. Artifacts are delivered to Falco through shared emptyDir volumes.
For details, see the Architecture documentation.
VERSION=latest
if [ "$VERSION" = "latest" ]; then
kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/latest/download/install.yaml
else
kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/download/${VERSION}/install.yaml
ficat <<EOF | kubectl apply -f -
apiVersion: instance.falcosecurity.dev/v1alpha1
kind: Falco
metadata:
name: falco
spec: {}
EOFcat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Plugin
metadata:
name: container
labels:
app.kubernetes.io/managed-by: falco-operator
spec:
ociArtifact:
image:
repository: falcosecurity/plugins/plugin/container
tag: latest
registry:
name: ghcr.io
---
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Rulesfile
metadata:
name: falco-rules
spec:
ociArtifact:
image:
repository: falcosecurity/rules/falco-rules
tag: latest
registry:
name: ghcr.io
priority: 50
EOFkubectl get falco
kubectl get rulesfiles,plugins
kubectl logs -l app.kubernetes.io/name=falco -c falco --tail=10For the complete walkthrough, see the Getting Started guide.
| Document | Description |
|---|---|
| Installation | Prerequisites, install, upgrade, uninstall |
| Getting Started | Step-by-step deployment guide |
| Architecture | Components, interactions, design |
| CRD Reference | Full reference for all Custom Resources |
| Configuration | Defaults and customization |
| Migration Guide | Upgrade from v0.1.x to v0.2.0 |
| Contributing | Development, testing, PR guidelines |
- Declarative management — Define Falco deployments, rules, plugins, and configuration as Kubernetes Custom Resources
- Multiple deployment modes — DaemonSet for cluster-wide monitoring, Deployment for plugin-only workloads
- Flexible artifact sources — OCI registries, inline YAML, and Kubernetes ConfigMaps
- Priority-based ordering — Deterministic application of rules and configuration
- Node targeting — Apply different artifacts to different nodes via label selectors
- Reference protection — Finalizers prevent accidental deletion of referenced Secrets and ConfigMaps
- Enhanced observability — Kubernetes events and status conditions across all controllers
- Server-Side Apply — Conflict-free reconciliation with ownership tracking
- Multi-instance support — Run multiple Falco instances in the same cluster
- Full pod customization — Override any aspect of the Falco pod via
podTemplateSpec
This project is licensed to you under the Apache 2.0 license.