Install the k8saudit plugin using falcoctl: run 'falcoctl artifact install k8saudit' and confirm the plugin binary is placed in the plugins directory
Configure the plugin in falco.yaml under the 'plugins' key, setting the 'name', 'library_path', and 'init_config' fields including the audit webhook port
Add k8saudit to the 'load_plugins' list in falco.yaml so Falco loads it at startup
Configure the Kubernetes API server audit policy to forward events to the Falco webhook endpoint and restart the API server
Deploy the k8saudit-rules artifact via falcoctl and verify rules using fields like 'ka.verb', 'ka.target.resource', and 'ka.user.name' load without errors
Perform a test action such as creating a ClusterRoleBinding and confirm Falco emits a matching alert
Known gotchas
The k8saudit plugin requires a specific audit policy level (RequestResponse or Metadata) for the events it needs; too-restrictive audit policies will silence expected alerts
falcoctl artifact install fetches from the official OCI registry — ensure your environment has outbound access or mirror the artifact to an internal registry first
Plugin source events replace kernel-level syscall events; rules written for syscall evt.type fields will not work with k8saudit plugin-sourced events
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp