Kubernetes CKS exam tips - Falco

Published On: 2022/04/22

Falco | CKS |

Falco is an open source runtime security tool which interpret the linux system calls and verify it against the rule engine and generate alert if any violations are identified.

Architecture of Falco

Falco works on linux user space and kernal space. The kernal space component interpret the system calls and send it to the user space component for analysis. The analyzer gives it to the rule engine to check it against the rules configured in the yaml file. If there is any violations identified then alerts will be generated and emitted to the output channels.

Falco could send alerts to one or more channels as configured in the falco.yml file.

Configuration files in Falco

  1. falco.yml

This is the falco configuration file which is located at /etc/falco directory. Falco loads this configuration file to get the information of the files that contain the rules and enables or disable the output channels and to decide the output formats.

  1. falco_rules.yml This file containes the default rules which come along with falco software. We could remove or edit these rules according to our needs.

  2. falco_rules.local.yml The better way to override a rules is by copying the same rule to local rules file and modify it according to our needs.

  3. custom rules folder (rules.d)

The folder /etc/falco/rules.d could be created to define the files containing our custom rules.

The order of loading falco rule files could be defined in the falco.yml file. Make sure that the falco_rules.yaml loads first and then the local rule file.

  - /etc/falco/falco_rules.yaml
  - /etc/falco/falco_rules.local.yaml
  - /etc/falco/k8s_audit_rules.yaml
  - /etc/falco/rules.d

Falco & Pod Security Policy in k8s

The falcoctl convert psp tool reads a Pod Security Policy file and generate a Falco rule file that evaluate the constrains in the policy file.

We can run falcoctl convert psp –psp-path test_psp.yaml –rules-path psp_rules.yaml which generates the psp_rules.yaml file and we can start falco with the command falco -r psp_rules.yml.

Falco in CKS exam

  • Check whether the falco is running in the environment
  • Find the rule that needs to be modified or added
  • If the rule has to be modified then copy that rule to the local rule file and edit it according to the need.
  • Configure the format of the output and the channel in the falco.yml file
  • Start/Restart the falco module
  • Run the module for a specific amount of time
  • The supporting fields in the falco output could be found here


Falco could be deployed on a local machine, cloud or a managed K8S cluster. We run falco in the openshift cluster as daemonset to find out the abnormal behaviour in the cluster.

comments powered by Disqus