Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Security 2021

Falco 0.30: Runtime Security for Kubernetes

K8s Guru
2 min read
#falco #security #runtime #kubernetes #threat-detection
Falco 0.30: Runtime Security for Kubernetes

Table of Contents

Introduction

Falco 0.30 — Runtime Security for Kubernetes — was released on October 5, 2021.

Policy usually becomes urgent the first time you need to stop a risky manifest from shipping — or when you’re trying to make standards repeatable across teams.

In this release: Falco 0.30 enhances runtime security with improved rule engine, better Kubernetes integration, and expanded threat detection capabilities for cloud-native workloads.

Rule Engine Improvements

  • Rule performance optimizations reduce overhead of rule evaluation.
  • Rule syntax enhancements provide more expressive conditions for threat detection.
  • Rule library expansion includes more pre-built rules for common security scenarios.
  • Rule testing tools enable validation of rules before deployment.

Kubernetes Integration

  1. CRD support enables managing Falco rules as Kubernetes resources.
  2. Operator improvements simplify deployment and configuration management.
  3. RBAC integration provides fine-grained access control for rule management.
  4. Multi-cluster support enables centralized rule management across clusters.

Threat Detection

  • Syscall monitoring improvements provide better visibility into container behavior.
  • Network monitoring enhancements detect suspicious network activity.
  • File system monitoring expansion tracks file access and modifications.
  • Process monitoring improvements detect unauthorized process execution.

Observability & Alerting

  • Event streaming improvements provide real-time security event delivery.
  • Alert integration expansion supports more notification channels.
  • Metrics expansion exposes detailed security metrics for Prometheus.
  • Logging enhancements provide structured logs for security analysis.

Getting Started

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco

Create a custom rule:

- rule: Detect shell in container
  desc: Notice shell activity within a container
  condition: >
    spawned_process and container and
    shell_procs and proc.tty != 0 and
    container_entrypoint
  output: >
    Shell spawned in container (user=%user.name %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
  priority: WARNING

Summary

AspectDetails
Release DateOctober 5, 2021
Headline FeaturesRule engine improvements, enhanced Kubernetes integration, expanded threat detection
Why it MattersProvides comprehensive runtime security monitoring for Kubernetes workloads

Falco 0.30 continues to evolve as a leading runtime security solution, providing teams with powerful threat detection capabilities.