Falco 0.27: Runtime Security for Kubernetes
K8s Guru
2 min read

Table of Contents
Introduction
Preventative controls (admission policy, image scanning, RBAC) are necessary — but they don’t catch everything that happens at runtime. When a container starts spawning unexpected shells, touching sensitive paths, or making odd network calls, you need fast signal and a clear trail.
Falco 0.27, released on November 25, 2020, strengthens that runtime layer with a better rule engine, deeper Kubernetes integration, and improved detection capabilities tuned for cloud-native workloads.
Where Falco fits
- Detection and alerting for suspicious behavior inside containers and on nodes.
- Audit-friendly signals that complement cluster events and control-plane logs.
- A starting point for response: turning “something is wrong” into actionable, structured events.
Rule Engine Improvements
- Rule syntax enhancements provide more expressive security policies.
- Performance optimizations reduce overhead of rule evaluation.
- Rule management improvements simplify creating and maintaining security rules.
- Conditional rules enable more sophisticated threat detection logic.
Kubernetes Integration
- CRD support enables managing Falco rules as Kubernetes resources.
- Operator improvements simplify deployment and configuration.
- Service account integration provides better RBAC support.
- Event streaming enhancements enable real-time security event processing.
Detection Capabilities
- System call monitoring provides deep visibility into container behavior.
- File access detection identifies unauthorized file system access.
- Network activity monitoring detects suspicious network connections.
- Process execution tracking identifies unusual process activity.
Getting Started
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco
Summary
| Aspect | Details |
|---|---|
| Release Date | November 25, 2020 |
| Headline Features | Rule engine improvements, better Kubernetes integration, enhanced detection |
| Why it Matters | Provides runtime security monitoring and threat detection for Kubernetes workloads |
Falco 0.27 continues to evolve as a leading runtime security solution, providing teams with powerful tools for detecting and responding to security threats in Kubernetes environments.