The Falco Operator manages Falco deployments, companion components, and runtime artifacts in Kubernetes through a set of cooperating controllers.
The Falco Operator is the primary component that users install and interact with. It runs as a DaemonSet (by default) in the falco-operator namespace and watches for Custom Resources in the instance.falcosecurity.dev and artifact.falcosecurity.dev API groups.
The instance operator binary registers four controllers:
- Falco controller — Reconciles
FalcoCRs - Component controller — Reconciles
ComponentCRs - ConfigMap reference controller — Manages referenced ConfigMap finalizers
- Secret reference controller — Manages referenced Secret finalizers
Responsibilities:
- Reconcile
FalcoCRs into DaemonSets or Deployments - Reconcile
ComponentCRs into Deployments for companion services - Manage RBAC resources (ServiceAccount, Role, RoleBinding, ClusterRole, ClusterRoleBinding)
- Create Services for pod discovery
- Create ConfigMaps with base Falco configuration
- Deploy the Artifact Operator as a native sidecar in each Falco pod
- Track Secret and ConfigMap references with finalizers
Reconciliation flow for Falco CRs:
- Fetch the Falco CR
- Handle deletion (cleanup via finalizers)
- Create RBAC resources
- Create a Service
- Create a ConfigMap with base configuration
- Apply defaults (engine mode, resource limits, probes)
- Set finalizer for graceful deletion
- Create the DaemonSet or Deployment with the Artifact Operator as a native sidecar
The Artifact Operator runs as a native sidecar container (Kubernetes 1.29+) in each Falco pod. It watches for Custom Resources in the artifact.falcosecurity.dev API group and delivers artifacts to the Falco container via shared emptyDir volumes.
Responsibilities:
- Watch for
Rulesfile,Plugin, andConfigCRs - Download OCI artifacts (rules and plugin binaries)
- Resolve inline definitions and ConfigMap references
- Write artifacts to the shared filesystem with priority ordering
- Manage plugin configuration entries
- Record Kubernetes events for all operations
Three controllers handle different artifact types:
| Controller | Artifact Type | Sources | Output Path |
|---|---|---|---|
| Rulesfile | Detection rules (.yaml) |
OCI artifact, inline YAML, ConfigMap | Shared rulesfiles volume |
| Plugin | Plugin binaries (.so) |
OCI artifact | Shared plugins volume |
| Config | Configuration fragments (.yaml) |
Inline YAML, ConfigMap | Shared config volume |
┌──────────────────────────────────────────────────────────────────┐
│ Kubernetes API Server │
│ │
│ Falco CR Component CR Rulesfile CR Plugin CR Config CR │
└─────┬───────────┬──────────────┬────────────┬──────────┬─────────┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
┌──────────────────────┐
│ Falco Operator │ Watches all CRDs, reconciles
│ (Deployment) │ Falco instances, Components,
│ │ and reference finalizers
└───┬──────────┬───────┘
│ │ creates
│ ▼
│ ┌───────────────────────────────────────────────────┐
│ │ Falco Pod (per node or replica) │
│ │ │
│ │ ┌──────────────────┐ ┌───────────────────────┐ │
│ │ │ Artifact Operator│ │ Falco Container │ │
│ │ │ (native sidecar) │ │ │ │
│ │ │ │ │ modern_ebpf / │ │
│ │ │ Watches artifact │ │ nodriver │ │
│ │ │ CRs, downloads │ │ │ │
│ │ │ OCI artifacts, │ │ Reads: │ │
│ │ │ writes to shared │ │ /etc/falco/rules.d │ │
│ │ │ volumes ─────────┼──┼─► /etc/falco/config.d │ │
│ │ │ │ │ /usr/share/falco/ │ │
│ │ │ │ │ plugins/ │ │
│ │ └──────────────────┘ └───────────────────────┘ │
│ └───────────────────────────────────────────────────┘
│ creates
▼
┌──────────────────────────────┐
│ Component Deployment │ e.g., k8s-metacollector
│ (per Component CR) │
└──────────────────────────────┘
Users only need to install the Falco Operator Deployment. The Artifact Operator is automatically deployed as a sidecar alongside each Falco instance — users never interact with it directly.
| API Group | Scope | CRDs |
|---|---|---|
instance.falcosecurity.dev/v1alpha1 |
Cluster-level instance management | Falco, Component |
artifact.falcosecurity.dev/v1alpha1 |
Per-node artifact delivery | Rulesfile, Plugin, Config |
All CRDs report status through Kubernetes conditions:
Instance CRDs (Falco, Component):
Reconciled— Whether the last reconciliation succeededAvailable— Whether the service is ready
Artifact CRDs (Rulesfile, Plugin, Config):
Programmed— Whether the artifact is successfully appliedResolvedRefs— Whether all referenced resources (ConfigMaps, Secrets) exist
The operator uses Kubernetes finalizers to protect referenced resources:
artifact.falcosecurity.dev/secret-in-use— Prevents deletion of Secrets referenced by OCI artifact credentialsartifact.falcosecurity.dev/configmap-in-use— Prevents deletion of ConfigMaps referenced by Rulesfile or Config resources
All controllers use Server-Side Apply (SSA) for resource management:
- The operator only manages fields it owns, leaving user-applied changes intact
- Concurrent modifications to managed fields are detected and reported
- Managed fields comparison prevents unnecessary API calls (spurious updates)
- Finalizer operations use Patch instead of Update for safety
| Setting | Value |
|---|---|
| Engine | modern_ebpf |
| Container engines | CRI + Docker enabled |
| Outputs | stdout + syslog |
| Webserver | Enabled (port 8765, Prometheus metrics) |
| Security context | Privileged |
| Host mounts | /proc, /sys, /dev, /etc, container runtimes |
| Resource requests | 100m CPU, 512Mi memory |
| Resource limits | 1000m CPU, 1024Mi memory |
| Probes | Liveness (60s delay), Readiness (30s delay) |
| Setting | Value |
|---|---|
| Engine | nodriver (plugin-only) |
| Container engines | All disabled |
| Designed for | Plugin-based event sources |
| Setting | Value |
|---|---|
| Image | Configurable via ARTIFACT_OPERATOR_IMAGE env var |
| Default image | docker.io/falcosecurity/artifact-operator:latest |
| Probes | Readiness (5s delay), Liveness (15s delay) on port 8081 |
| Volumes | 3 shared emptyDir volumes (config, rulesfiles, plugins) |