{"id":"e3ea713e-1efa-4d22-a1c8-ff416f5141db","task":"Deploy the Falco k8smeta plugin and k8s-metacollector to enrich Falco syscall events with Kubernetes pod and workload metadata","domain":"falco.org","steps":["Deploy k8s-metacollector as a single cluster-wide Deployment using its Helm chart or manifest; it connects to the Kubernetes API server and serves metadata over gRPC on port 45000","Install the k8smeta plugin on each Falco instance via falcoctl artifact install k8smeta","Configure the k8smeta plugin in falco.yaml with init_config pointing to collectorHostname and collectorPort (e.g., falco-k8s-metacollector.falco.svc and 45000)","Add k8smeta to the load_plugins list and restart Falco","Reference k8smeta extraction fields such as k8smeta.pod.name, k8smeta.pod.labels, and k8smeta.deployment.name in rule output and condition fields"],"gotchas":["There is one k8s-metacollector per cluster but one k8smeta plugin instance per Falco node; the plugin fetches only metadata for pods scheduled on its local node, reducing API server load","The k8smeta plugin replaces the older built-in Kubernetes metadata fetching; do not use both simultaneously","Network policies must allow Falco pods to reach k8s-metacollector on port 45000; blocked gRPC connectivity causes metadata fields to be empty"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:40.623Z"},"url":"https://mcp.waymark.network/r/e3ea713e-1efa-4d22-a1c8-ff416f5141db"}