Bug Report: Falco Edera Plugin — "ignoring event for unknown zone"

[jedsalazar]

Summary

The Falco Edera plugin (libedera_falco_plugin.so) receives events from an active Edera zone but never registers the zone as "known." Every event produces the warning ignoring event for unknown zone "<uuid>" and all edera_zone source Falco rules are silently skipped. The zone is healthy and running workloads, the plugin just never discovers it.

Impact

Zone-level Falco rules (source: edera_zone) never fire. Host syscall rules (source: syscall) work correctly, the issue is limited to
in-zone detection.

Environment

Component	Version / Detail
EKS	Kubernetes v1.34.2-eks-ecaa3a6
Node AMI	(Amazon Linux 2023.9.20251208)
Node kernel	6.1.159
Instance type	t3.2xlarge
Region	us-west-2
Container runtime	containerd 2.1.5
RuntimeClass	edera (handler: edera)
Falco	0.43.0 (Libs 0.23.1, Plugin API 3.12.0, Engine 0.58.0)
Edera plugin	/var/lib/edera/protect/falco/libedera_falco_plugin.so
Edera daemon socket	/var/lib/edera/protect/daemon.socket

Zone Pod Under Test

Pod: vllm-server-isolated (Deployment, namespace default)

metadata:
  annotations:
    dev.edera/kernel: ghcr.io/edera-dev/zone-kernel:6.16
    dev.edera/resource-policy: "static"
spec:
  runtimeClassName: edera
  containers:
  - name: vllm
    image: python:3.11-slim
    resources:
      requests:
        memory: "256Mi"
        cpu: "100m"
      limits:
        memory: "400Mi"
        cpu: "500m"
  - name: kernel-observer
    image: ...
    resources:
      requests:
        memory: "32Mi"
        cpu: "25m"
      limits:
        memory: "64Mi"
        cpu: "100m"

Falco Helm Configuration

Deployed via Helm with the following Edera-specific values:

mounts:
  volumes:
    - name: edera-plugin
      hostPath:
        path: /var/lib/edera/protect/falco
    - name: edera-daemon-socket
      hostPath:
        path: /var/lib/edera/protect
  volumeMounts:
    - name: edera-plugin
      mountPath: /var/lib/edera/protect/falco
      readOnly: true
    - name: edera-daemon-socket
      mountPath: /var/lib/edera/protect
      readOnly: false

falco:
  plugins:
    - name: edera
      library_path: /var/lib/edera/protect/falco/libedera_falco_plugin.so
      init_config:
        mirror_host_syscalls: true
  load_plugins: [edera]

Edera Daemon Configuration

From /var/lib/edera/protect/daemon.toml:

[oci]
docker-hub-mirror = "index.docker.io"

[zone]
cache-default-kernel = true
cache-default-initrd = true
memory-limit-mb = 1024

[network]
nameservers = ["1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"]

[network.ipv4]
subnet = "10.75.0.0/16"

[network.ipv6]
subnet = "fdd4:1476:6c7e::/48"

Symptoms

Falco logs are saturated with a single repeating warning (hundreds per second):

Wed Jan 28 22:44:32 2026: [libs]: edera: [WARN] ignoring event for unknown zone "6bbf9d82-6bfe-441e-b625-d9129ee89b6a"
Wed Jan 28 22:44:32 2026: [libs]: edera: [WARN] ignoring event for unknown zone "6bbf9d82-6bfe-441e-b625-d9129ee89b6a"
Wed Jan 28 22:44:32 2026: [libs]: edera: [WARN] ignoring event for unknown zone "6bbf9d82-6bfe-441e-b625-d9129ee89b6a"
... (continuous, every log line)

• No Falco startup lines are visible in --tail=5000 — the log buffer is entirely consumed by this warning.
• Previous pod logs (--previous) are not available.

Reproduction Steps

1. Deploy Edera Protect on an EKS node (AMI above).
2. Install Falco via Helm with the Edera plugin values shown above.
3. Deploy a pod with runtimeClassName: edera and annotation dev.edera/kernel: ghcr.io/edera-dev/zone-kernel:6.16.
4. Wait for the pod to reach Running state.
5. Check Falco logs: kubectl logs -n falco -l app.kubernetes.io/name=falco -c falco --tail=30
6. Observe continuous "unknown zone" warnings for the zone UUID.

What Was Tried

• Restarting Falco (kubectl rollout restart daemonset/falco -n falco) zone remains unknown after restart.
• Deleting and recreating the isolated pod — new pod, same behavior.
• Verified daemon socket present and accessible at /var/lib/edera/protect/daemon.socket.
• Verified plugin file libedera_falco_plugin.so exists (5.2 MB) and Falco loads it (confirmed in earlier logs before buffer saturation).
• Verified host syscall detection Falco rules with source: syscall fire correctly (e.g., Proc Environ Read triggered successfully during demo attack).

[bleggett]

Verified that everything seems happy locally with the above podspec and manually-installed falco, might be a Helm quirk since we don't have an automated test for that particular install mechanism yet/I haven't tested that particular pathway, looking.

[bleggett]

Yep, it's specific to the Helm mechanism of installing Falco, it works with the others, I see it.

[bleggett]

Should be fixed in #47, but reopening this until I cut a new release, so bug author can validate and close at their leisure.

[jedsalazar]

woot! how can I pull in the new version to test?