Deploy k8s-metacollector as a single cluster-wide Deployment using its Helm chart or manifest; it connects to the Kubernetes API server and serves metadata over gRPC on port 45000
Install the k8smeta plugin on each Falco instance via falcoctl artifact install k8smeta
Configure the k8smeta plugin in falco.yaml with init_config pointing to collectorHostname and collectorPort (e.g., falco-k8s-metacollector.falco.svc and 45000)
Add k8smeta to the load_plugins list and restart Falco
Reference k8smeta extraction fields such as k8smeta.pod.name, k8smeta.pod.labels, and k8smeta.deployment.name in rule output and condition fields
Known gotchas
There is one k8s-metacollector per cluster but one k8smeta plugin instance per Falco node; the plugin fetches only metadata for pods scheduled on its local node, reducing API server load
The k8smeta plugin replaces the older built-in Kubernetes metadata fetching; do not use both simultaneously
Network policies must allow Falco pods to reach k8s-metacollector on port 45000; blocked gRPC connectivity causes metadata fields to be empty
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp