Install Falco with the eBPF probe driver by setting `driver.kind: ebpf` in the Falco Helm chart values
Verify the eBPF probe loads successfully by checking Falco pod logs for `eBPF probe successfully loaded`
Enable relevant rule sets for container runtime threats including `write_below_etc`, `spawned_process_in_container`, and network-based rules
Configure `json_output: true` and route alerts to Falcosidekick for enrichment and forwarding
Test detection by running a privileged container that touches `/etc` or spawns an interactive shell, and confirm an alert fires
Known gotchas
The eBPF driver requires kernel 4.14+ and a kernel with `CONFIG_BPF_SYSCALL` enabled; GKE Autopilot and some hardened kernels block eBPF program loading
Falco's eBPF probe is kernel-version-sensitive; upgrading the node kernel without updating the Falco driver image can leave Falco running without a loaded probe and producing no alerts
Running Falco as a DaemonSet requires privileged pods or specific Linux capabilities (`SYS_ADMIN`, `SYS_PTRACE`); in hardened clusters these may be blocked by Pod Security Admission
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp