apiVersion: apps/v1 kind: DaemonSet metadata: name: falco-daemonset labels: app: falco-example role: security spec: selector: matchLabels: app: falco-example role: security template: metadata: labels: app: falco-example role: security spec: serviceAccount: falco-account containers: - name: falco image: falcosecurity/falco:latest securityContext: privileged: true # Uncomment the 3 lines below to enable eBPF support for Falco. # This allows Falco to run on Google COS. # Leave blank for the default probe location, or set to the path # of a precompiled probe. # env: # - name: FALCO_BPF_PROBE # value: "" args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"] volumeMounts: - mountPath: /host/var/run/docker.sock name: docker-socket - mountPath: /host/run/containerd/containerd.sock name: containerd-socket - mountPath: /host/dev name: dev-fs readOnly: true - mountPath: /host/proc name: proc-fs readOnly: true - mountPath: /host/boot name: boot-fs readOnly: true - mountPath: /host/lib/modules name: lib-modules readOnly: true - mountPath: /host/usr name: usr-fs readOnly: true - mountPath: /host/etc/ name: etc-fs readOnly: true - mountPath: /etc/falco name: falco-config volumes: - name: docker-socket hostPath: path: /var/run/docker.sock - name: containerd-socket hostPath: path: /run/containerd/containerd.sock - name: dev-fs hostPath: path: /dev - name: proc-fs hostPath: path: /proc - name: boot-fs hostPath: path: /boot - name: lib-modules hostPath: path: /lib/modules - name: usr-fs hostPath: path: /usr - name: etc-fs hostPath: path: /etc - name: falco-config configMap: name: falco-config