Falco 0.27: Runtime Security for Kubernetes

Introduction

Preventative controls (admission policy, image scanning, RBAC) are necessary — but they don’t catch everything that happens at runtime. When a container starts spawning unexpected shells, touching sensitive paths, or making odd network calls, you need fast signal and a clear trail.

Falco 0.27, released on November 25, 2020, strengthens that runtime layer with a better rule engine, deeper Kubernetes integration, and improved detection capabilities tuned for cloud-native workloads.

Where Falco fits

• Detection and alerting for suspicious behavior inside containers and on nodes.
• Audit-friendly signals that complement cluster events and control-plane logs.
• A starting point for response: turning “something is wrong” into actionable, structured events.

Rule Engine Improvements

• Rule syntax enhancements provide more expressive security policies.
• Performance optimizations reduce overhead of rule evaluation.
• Rule management improvements simplify creating and maintaining security rules.
• Conditional rules enable more sophisticated threat detection logic.

Kubernetes Integration

1. CRD support enables managing Falco rules as Kubernetes resources.
2. Operator improvements simplify deployment and configuration.
3. Service account integration provides better RBAC support.
4. Event streaming enhancements enable real-time security event processing.

Detection Capabilities

• System call monitoring provides deep visibility into container behavior.
• File access detection identifies unauthorized file system access.
• Network activity monitoring detects suspicious network connections.
• Process execution tracking identifies unusual process activity.

Getting Started

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco

Summary

Falco 0.27 continues to evolve as a leading runtime security solution, providing teams with powerful tools for detecting and responding to security threats in Kubernetes environments.