Install Falco 0.33.1 or later and gVisor runsc 20221122.0 or later on the host
Generate the gVisor pod init config by running Falco with the --gvisor-generate-config flag to produce the trace point configuration file that gVisor will read
Configure the container runtime (Docker or containerd) to use runsc as the runtime via runsc install
Pass the gVisor config file path to Falco at startup using the -g or --gvisor-config option
Start workloads under the runsc runtime; gVisor's Sentry connects to Falco over a Unix domain socket before the application process starts, then delivers serialized protobuf events
Verify integration by checking Falco logs for gVisor event source messages and triggering a rule inside a sandboxed container
Known gotchas
gVisor communicates with Falco via a Unix domain socket using Protocol Buffers; the socket path in the generated config must be accessible to both gVisor and Falco
The kernel module and eBPF drivers are unused in gVisor mode; Falco must be started specifically with gVisor config, not with the default driver
Falco rule conditions reference the same field names for gVisor events as for native syscall events, but some fields may be absent if gVisor does not yet instrument a given trace point
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp