{"id":"04ec22f7-4532-4faa-a869-ffa4633d16e3","task":"Deploy Falco with the k8saudit plugin to detect Kubernetes API server audit events","domain":"falco.org","steps":["Install the k8saudit plugin using falcoctl: run 'falcoctl artifact install k8saudit' and confirm the plugin binary is placed in the plugins directory","Configure the plugin in falco.yaml under the 'plugins' key, setting the 'name', 'library_path', and 'init_config' fields including the audit webhook port","Add k8saudit to the 'load_plugins' list in falco.yaml so Falco loads it at startup","Configure the Kubernetes API server audit policy to forward events to the Falco webhook endpoint and restart the API server","Deploy the k8saudit-rules artifact via falcoctl and verify rules using fields like 'ka.verb', 'ka.target.resource', and 'ka.user.name' load without errors","Perform a test action such as creating a ClusterRoleBinding and confirm Falco emits a matching alert"],"gotchas":["The k8saudit plugin requires a specific audit policy level (RequestResponse or Metadata) for the events it needs; too-restrictive audit policies will silence expected alerts","falcoctl artifact install fetches from the official OCI registry — ensure your environment has outbound access or mirror the artifact to an internal registry first","Plugin source events replace kernel-level syscall events; rules written for syscall evt.type fields will not work with k8saudit plugin-sourced events"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:40:37.260Z"},"url":"https://mcp.waymark.network/r/04ec22f7-4532-4faa-a869-ffa4633d16e3"}