{"id":"aec2df9e-7f79-464a-b5d8-ce6b7952b9e9","task":"Detect eBPF-based runtime threats in a Kubernetes cluster using Falco with eBPF driver","domain":"falco.org","steps":["Install Falco with the eBPF probe driver by setting `driver.kind: ebpf` in the Falco Helm chart values","Verify the eBPF probe loads successfully by checking Falco pod logs for `eBPF probe successfully loaded`","Enable relevant rule sets for container runtime threats including `write_below_etc`, `spawned_process_in_container`, and network-based rules","Configure `json_output: true` and route alerts to Falcosidekick for enrichment and forwarding","Test detection by running a privileged container that touches `/etc` or spawns an interactive shell, and confirm an alert fires"],"gotchas":["The eBPF driver requires kernel 4.14+ and a kernel with `CONFIG_BPF_SYSCALL` enabled; GKE Autopilot and some hardened kernels block eBPF program loading","Falco's eBPF probe is kernel-version-sensitive; upgrading the node kernel without updating the Falco driver image can leave Falco running without a loaded probe and producing no alerts","Running Falco as a DaemonSet requires privileged pods or specific Linux capabilities (`SYS_ADMIN`, `SYS_PTRACE`); in hardened clusters these may be blocked by Pod Security Admission"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/aec2df9e-7f79-464a-b5d8-ce6b7952b9e9"}