k8saudit-gke plugin is not loading for falco security setup in GKE standard cluster

[vinayreddy-guda-exa]

k8saudit-gke plugin is not loading for falco security setup in GKE standard cluster. I am using google cloud pub/sub subscription and gcp project in values.yaml.

How to reproduce it

Expected behaviour

Screenshots

I am trying to get gke audit logs using k8saudit-gke plugin. In sidekick UI console, which i am starting using --set run time argument for both sidekick and sidekick UI, I always see only syscall source events. Even when i enabled k8saudit, i see the logs for few items such as privilege pod rule violation among other. I would need help for complete gke audit data here.

temp.yaml

Attached are the logs from one of the daemon set pods which is unable to load the k8saudit-gke driver:

kubectl logs falco-87kl8 -n falcotwo
Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falco-driver-loader (init), falcoctl-artifact-install (init)
Wed Oct 1 10:52:50 2025: Falco version: 0.41.3 (x86_64)
Wed Oct 1 10:52:50 2025: Falco initialized with configuration files:
Wed Oct 1 10:52:50 2025: /etc/falco/falco.yaml | schema validation: ok
Wed Oct 1 10:52:50 2025: System info: Linux version 6.6.97+ (builder@705b48dad54d) (Chromium OS 17.0_pre498229-r33 clang version 17.0.0 (/mnt/host/source/src/third_party/llvm-project 14f0776550b5a49e1c42f49a00213f7f3fa047bf), LLD 17.0.0) falcosecurity/falco#1 SMP Fri Aug 22 11:53:37 UTC 2025
Wed Oct 1 10:52:50 2025: Loading plugin 'k8saudit-gke' from file /usr/share/falco/plugins/libk8saudit-gke.so
Wed Oct 1 10:52:50 2025: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Wed Oct 1 10:52:50 2025: Loading plugin 'container' from file /usr/share/falco/plugins/libcontainer.so
Wed Oct 1 10:52:50 2025: [libs]: container: Enabled 'podman' container engine.
Wed Oct 1 10:52:50 2025: [libs]: container: * enabled container runtime socket at '/host/run/podman/podman.sock'
Wed Oct 1 10:52:50 2025: [libs]: container: Enabled 'docker' container engine.
Wed Oct 1 10:52:50 2025: [libs]: container: * enabled container runtime socket at '/host/var/run/docker.sock'
Wed Oct 1 10:52:50 2025: [libs]: container: Enabled 'cri' container engine.
Wed Oct 1 10:52:50 2025: [libs]: container: * enabled container runtime socket at '/host/run/containerd/containerd.sock'
Wed Oct 1 10:52:50 2025: [libs]: container: * enabled container runtime socket at '/host/run/crio/crio.sock'
Wed Oct 1 10:52:50 2025: [libs]: container: * enabled container runtime socket at '/host/run/k3s/containerd/containerd.sock'
Wed Oct 1 10:52:50 2025: [libs]: container: * enabled container runtime socket at '/host/run/host-containerd/containerd.sock'
Wed Oct 1 10:52:50 2025: [libs]: container: Enabled 'containerd' container engine.
Wed Oct 1 10:52:50 2025: [libs]: container: * enabled container runtime socket at '/host/run/host-containerd/containerd.sock'
Wed Oct 1 10:52:50 2025: [libs]: container: Enabled 'lxc' container engine.
Wed Oct 1 10:52:50 2025: [libs]: container: Enabled 'libvirt_lxc' container engine.
Wed Oct 1 10:52:50 2025: [libs]: container: Enabled 'bpm' container engine.
Wed Oct 1 10:52:50 2025: Loading rules from:
Wed Oct 1 10:52:50 2025: /etc/falco/falco_rules.yaml | schema validation: ok
Wed Oct 1 10:52:50 2025: Hostname value has been overridden via environment variable to: gke-sre-wcpg-spot-1-1-node-pool-20230-d753e78d-g7c7
Wed Oct 1 10:52:50 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Wed Oct 1 10:52:50 2025: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765
Wed Oct 1 10:52:50 2025: Loaded event sources: syscall, k8s_audit
Wed Oct 1 10:52:50 2025: Enabled event sources: k8s_audit, syscall
Wed Oct 1 10:52:50 2025: Opening 'k8s_audit' source with plugin 'k8saudit-gke'
Wed Oct 1 10:52:50 2025: [libs]: Trying to open the right engine!
Wed Oct 1 10:52:50 2025: Opening 'syscall' source with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
Wed Oct 1 10:52:50 2025: [libs]: Trying to open the right engine!
Wed Oct 1 10:52:53 2025: An error occurred in an event source, forcing termination...
Syscall event drop monitoring:

• event drop detected: 0 occurrences
• num times actions taken: 0
  Events detected: 0
  Rule counts by severity:
  Triggered rules by rule name:

• Falco version:
  v0.41.3
• System info:

• Cloud provider or hardware configuration: Google Cloud
• OS: COS GKE standard

• Kernel:

• Installation method:
  via helm

Additional context

Using k8saudit plugin, gke plugin was not loading, so i tried loading k8saudit-gke which is throwing error:

my values.yaml(temp.yaml) file is attached. Please suggest.

[vinayreddy-guda-exa]

temp.yaml

[leogr]

Wed Oct 1 10:52:50 2025: Opening 'syscall' source with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
Wed Oct 1 10:52:50 2025: [libs]: Trying to open the right engine!
Wed Oct 1 10:52:53 2025: An error occurred in an event source, forcing termination...

This might be an issue with the syscall data source. Have you tried to use a dedicated deployment for the plugin?
e.g. https://github.com/falcosecurity/charts/blob/master/charts/falco/values-k8saudit.yaml

[vinayreddy-guda-exa]

I have tried with dedicated deployment for the plugin. However, when I violate the rules mentioned in k8s audit yaml like deleting secrets, creating secrets, creating privileged pods etc., none of them pop up. Also i am unable to see data source itself in the sidekickUI.

pod logs:

kubectl logs falco-589cc9469c-sxkb2 -n falcotwo
Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falcoctl-artifact-install (init)
Fri Oct 3 05:07:09 2025: Falco version: 0.41.3 (x86_64)
Fri Oct 3 05:07:09 2025: Falco initialized with configuration files:
Fri Oct 3 05:07:09 2025: /etc/falco/falco.yaml | schema validation: ok
Fri Oct 3 05:07:09 2025: System info: Linux version 6.6.97+ (builder@705b48dad54d) (Chromium OS 17.0_pre498229-r33 clang version 17.0.0 (/mnt/host/source/src/third_party/llvm-project 14f0776550b5a49e1c42f49a00213f7f3fa047bf), LLD 17.0.0) #1 SMP Fri Aug 22 11:53:37 UTC 2025
Fri Oct 3 05:07:09 2025: [libs]: Cannot read host init process proc root: 13
Fri Oct 3 05:07:09 2025: Loading plugin 'k8saudit' from file /usr/share/falco/plugins/libk8saudit.so
Fri Oct 3 05:07:09 2025: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Fri Oct 3 05:07:09 2025: [libs]: Cannot read host init process proc root: 13
Fri Oct 3 05:07:09 2025: [libs]: Cannot read host init process proc root: 13
Fri Oct 3 05:07:09 2025: Loading rules from:
Fri Oct 3 05:07:09 2025: /etc/falco/k8s_audit_rules.yaml | schema validation: ok
Fri Oct 3 05:07:09 2025: Hostname value has been overridden via environment variable to: gke-sre-wcpg-spot-1-1-node-pool-20230-23baa985-cdfl
Fri Oct 3 05:07:09 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Fri Oct 3 05:07:09 2025: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765
Fri Oct 3 05:07:09 2025: Loaded event sources: syscall, k8s_audit
Fri Oct 3 05:07:09 2025: Enabled event sources: k8s_audit
Fri Oct 3 05:07:09 2025: Opening 'k8s_audit' source with plugin 'k8saudit'
Fri Oct 3 05:07:09 2025: [libs]: Trying to open the right engine!

Inside the pod where rules are configured post deployment:

/etc/falco # pwd
/etc/falco
/etc/falco # ls -lart
total 48
-rw-r--r-- 1 root root 2671 Oct 3 05:06 falco.yaml
-rw-r--r-- 1 nonroot nonroot 35121 Oct 3 05:07 k8s_audit_rules.yaml
drwxr-xr-x 1 root root 4096 Oct 3 05:07 ..
drwxrwxrwx 2 root root 4096 Oct 3 05:07 .
/etc/falco #

Attached is the sidekick UI image for your reference.

[leogr]

Have you checked your environment is properly configured to send events to the plugin?

[vinayreddy-guda-exa]

Yes. I have configured cloud log router -> pub/sub topic(destination for cloud logging data) -> subscription for the topic -> gcp service account for falco with subscription role attached.

I also tried configuring gke audit plugin.
Falco goes into panic and crashed when i load gke plugin.

[vinayreddy-guda-exa]

We also get panic logs and pods get crashed. even same issue with gke audit plugin as well which we recently faced.

[leogr]

It seems you're facing multiple (and different issues) at the same time. To troubleshoot this, we need to proceed step-by-step; otherwise, it would be difficult for us to reproduce the issue.

So, let's focus on k8saudit-gke first.

May you try configuring Falco and your environment with k8saudit-gke plugin only (so, no gcpaudit and no syscall data source enabled) to see what happens?

If you still experience issues, please report the exact plugin version and provide all steps to reproduce the problem.

Thanks 🙏

[vinayreddy-guda-exa]

I have configured k8saudit-gke plugin only. It is failing due to an error.

I have used below commands and custom values.yaml file to setup falco:

1. helm repo add falcosecurity https://falcosecurity.github.io/charts
2. helm repo update
3. helm install --replace falco -f values.yaml --namespace falcotwo --create-namespace --set tty=true falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true --set podPriorityClassName=falco-priority

values.yaml

Logs for a falco pod in the daemonset are as follows:
`kubectl logs falco-vlbwl -n falcotwo
Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falco-driver-loader (init), falcoctl-artifact-install (init)
Thu Oct 9 09:31:20 2025: Falco version: 0.41.3 (x86_64)
Thu Oct 9 09:31:20 2025: Falco initialized with configuration files:
Thu Oct 9 09:31:20 2025: /etc/falco/falco.yaml | schema validation: ok
Thu Oct 9 09:31:20 2025: System info: Linux version 6.6.97+ (builder@705b48dad54d) (Chromium OS 17.0_pre498229-r33 clang version 17.0.0 (/mnt/host/source/src/third_party/llvm-project 14f0776550b5a49e1c42f49a00213f7f3fa047bf), LLD 17.0.0) #1 SMP Fri Aug 22 11:53:37 UTC 2025
Thu Oct 9 09:31:20 2025: Loading plugin 'k8saudit-gke' from file /usr/share/falco/plugins/libk8saudit-gke.so
Thu Oct 9 09:31:20 2025: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Thu Oct 9 09:31:20 2025: Loading plugin 'container' from file /usr/share/falco/plugins/libcontainer.so
Thu Oct 9 09:31:20 2025: [libs]: container: Enabled 'podman' container engine.
Thu Oct 9 09:31:20 2025: [libs]: container: * enabled container runtime socket at '/host/run/podman/podman.sock'
Thu Oct 9 09:31:20 2025: [libs]: container: Enabled 'docker' container engine.
Thu Oct 9 09:31:20 2025: [libs]: container: * enabled container runtime socket at '/host/var/run/docker.sock'
Thu Oct 9 09:31:20 2025: [libs]: container: Enabled 'cri' container engine.
Thu Oct 9 09:31:20 2025: [libs]: container: * enabled container runtime socket at '/host/run/containerd/containerd.sock'
Thu Oct 9 09:31:20 2025: [libs]: container: * enabled container runtime socket at '/host/run/crio/crio.sock'
Thu Oct 9 09:31:20 2025: [libs]: container: * enabled container runtime socket at '/host/run/k3s/containerd/containerd.sock'
Thu Oct 9 09:31:20 2025: [libs]: container: * enabled container runtime socket at '/host/run/host-containerd/containerd.sock'
Thu Oct 9 09:31:20 2025: [libs]: container: Enabled 'containerd' container engine.
Thu Oct 9 09:31:20 2025: [libs]: container: * enabled container runtime socket at '/host/run/host-containerd/containerd.sock'
Thu Oct 9 09:31:20 2025: [libs]: container: Enabled 'lxc' container engine.
Thu Oct 9 09:31:20 2025: [libs]: container: Enabled 'libvirt_lxc' container engine.
Thu Oct 9 09:31:20 2025: [libs]: container: Enabled 'bpm' container engine.
Thu Oct 9 09:31:20 2025: Loading rules from:
Thu Oct 9 09:31:20 2025: /etc/falco/falco_rules.yaml | schema validation: ok
Thu Oct 9 09:31:20 2025: Hostname value has been overridden via environment variable to: gke-sre-wcpg-spot-1-1-node-pool-20230-23baa985-kdjc
Thu Oct 9 09:31:20 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Thu Oct 9 09:31:20 2025: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765
Thu Oct 9 09:31:20 2025: Loaded event sources: syscall, k8s_audit
Thu Oct 9 09:31:20 2025: Enabled event sources: k8s_audit, syscall
Thu Oct 9 09:31:20 2025: Opening 'k8s_audit' source with plugin 'k8saudit-gke'
Thu Oct 9 09:31:20 2025: [libs]: Trying to open the right engine!
Thu Oct 9 09:31:20 2025: Opening 'syscall' source with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
Thu Oct 9 09:31:20 2025: [libs]: Trying to open the right engine!
Thu Oct 9 09:31:23 2025: An error occurred in an event source, forcing termination...
Syscall event drop monitoring:

• event drop detected: 0 occurrences
• num times actions taken: 0
  Events detected: 0
  Rule counts by severity:
  Triggered rules by rule name:`

Below are the pod running statistics:
`kubectl describe po falco-vlbwl -n falcotwo
Name: falco-vlbwl
Namespace: falcotwo
Priority: 2000000
Priority Class Name: falco-priority
Service Account: falco
Node: gke-sre-wcpg-spot-1-1-node-pool-20230-23baa985-kdjc/10.32.0.89
Start Time: Thu, 09 Oct 2025 14:56:04 +0530
Labels: app.kubernetes.io/instance=falco
app.kubernetes.io/name=falco
automation.perfectscale.io/generatedFrom=b2eb39b0
controller-revision-hash=7458cc4fff
perfectscale.io/managedBy=Automation
pod-template-generation=2
Annotations: automation.perfectscale.io/originatingRevision: b2eb39b0
automation.perfectscale.io/restartedAt: 2025-10-09T09:18:15Z
checksum/certs: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
checksum/config: 12bf8849c1dfc5df773040771fc110ab4f9235248ed4b3ab771663e78c8f3eb2
checksum/rules: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
dynakube.dynatrace.com/injected: true
iam.gke.io/gcp-service-account: falco-sre@exa-cloud-sre.iam.gserviceaccount.com
Status: Running
IP: 10.128.18.9
IPs:
IP: 10.128.18.9
Controlled By: DaemonSet/falco
Init Containers:
falco-driver-loader:
Container ID: containerd://08bbd1e4021cccdfc3a5b3591084ae43605e43924fcef4b2fda10a1f91cb705f
Image: docker.io/falcosecurity/falco-driver-loader:0.41.3
Image ID: docker.io/falcosecurity/falco-driver-loader@sha256:a9c0c208d4c9eff2577c536ca6e9e629600a2a3daf06dca47810ba5a5d908811
Port:
Host Port:
Args:
ebpf
State: Terminated
Reason: Completed
Exit Code: 0
Started: Thu, 09 Oct 2025 14:56:33 +0530
Finished: Thu, 09 Oct 2025 14:56:59 +0530
Ready: True
Restart Count: 0
Environment:
HOST_ROOT: /host
FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO: false
Mounts:
/etc/falco/config.d from specialized-falco-configs (rw)
/host/boot from boot-fs (ro)
/host/etc from etc-fs (ro)
/host/lib/modules from lib-modules (rw)
/host/proc from proc-fs (ro)
/host/usr from usr-fs (ro)
/root/.falco from root-falco-fs (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-hxs2w (ro)
falcoctl-artifact-install:
Container ID: containerd://3a4e46cdbfee04a600137e72e41f6e36950b9f121c1ccaee5c730141c114a48e
Image: docker.io/falcosecurity/falcoctl:0.11.2
Image ID: docker.io/falcosecurity/falcoctl@sha256:8e02bfd0c44a954495a5c7f980693f603d47c1bec2e55c86319c55134b9a5b6e
Port:
Host Port:
Args:
artifact
install
--log-format=json
State: Terminated
Reason: Completed
Exit Code: 0
Started: Thu, 09 Oct 2025 14:57:01 +0530
Finished: Thu, 09 Oct 2025 14:57:15 +0530
Ready: True
Restart Count: 0
Environment:
Mounts:
/etc/falcoctl from falcoctl-config-volume (rw)
/plugins from plugins-install-dir (rw)
/rulesfiles from rulesfiles-install-dir (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-hxs2w (ro)
Containers:
falco:
Container ID: containerd://f028f3e9799044a2195109cf055ac90ee2550d341526ad1711042a88996713e2
Image: docker.io/falcosecurity/falco:0.41.3
Image ID: docker.io/falcosecurity/falco@sha256:5f6f325327c970430b1a73704160b2fd5b2c1396f2dc0b343b2544638b6b569c
Port: 8765/TCP
Host Port: 0/TCP
Args:
/usr/bin/falco
State: Running
Started: Thu, 09 Oct 2025 15:01:20 +0530
Last State: Terminated
Reason: Error
Exit Code: 137
Started: Thu, 09 Oct 2025 14:59:20 +0530
Finished: Thu, 09 Oct 2025 15:01:20 +0530
Ready: False
Restart Count: 2
Limits:
cpu: 1
memory: 195Mi
Requests:
cpu: 100m
memory: 98Mi
Liveness: http-get http://:8765/healthz delay=60s timeout=5s period=15s #success=1 #failure=3
Readiness: http-get http://:8765/healthz delay=30s timeout=5s period=15s #success=1 #failure=3
Environment:
HOST_ROOT: /host
FALCO_HOSTNAME: (v1:spec.nodeName)
FALCO_K8S_NODE_NAME: (v1:spec.nodeName)
Mounts:
/etc/falco from rulesfiles-install-dir (rw)
/etc/falco/config.d from specialized-falco-configs (rw)
/etc/falco/falco.yaml from falco-yaml (rw,path="falco.yaml")
/host/etc from etc-fs (ro)
/host/proc from proc-fs (rw)
/host/run/containerd/containerd.sock from container-engine-socket-3 (rw)
/host/run/crio/crio.sock from container-engine-socket-4 (rw)
/host/run/host-containerd/containerd.sock from container-engine-socket-2 (rw)
/host/run/k3s/containerd/containerd.sock from container-engine-socket-5 (rw)
/host/run/podman/podman.sock from container-engine-socket-1 (rw)
/host/var/run/docker.sock from container-engine-socket-0 (rw)
/root/.falco from root-falco-fs (rw)
/usr/share/falco/plugins from plugins-install-dir (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-hxs2w (ro)
falcoctl-artifact-follow:
Container ID: containerd://ff4681f66fc0c60a42879b229457d5b3e23d64c747d54a10a696d6e48836447c
Image: docker.io/falcosecurity/falcoctl:0.11.2
Image ID: docker.io/falcosecurity/falcoctl@sha256:8e02bfd0c44a954495a5c7f980693f603d47c1bec2e55c86319c55134b9a5b6e
Port:
Host Port:
Args:
artifact
follow
--log-format=json
State: Running
Started: Thu, 09 Oct 2025 14:57:17 +0530
Ready: True
Restart Count: 0
Environment:
Mounts:
/etc/falcoctl from falcoctl-config-volume (rw)
/plugins from plugins-install-dir (rw)
/rulesfiles from rulesfiles-install-dir (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-hxs2w (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
container-engine-socket-0:
Type: HostPath (bare host directory volume)
Path: /var/run/docker.sock
HostPathType:
container-engine-socket-1:
Type: HostPath (bare host directory volume)
Path: /run/podman/podman.sock
HostPathType:
container-engine-socket-2:
Type: HostPath (bare host directory volume)
Path: /run/host-containerd/containerd.sock
HostPathType:
container-engine-socket-3:
Type: HostPath (bare host directory volume)
Path: /run/containerd/containerd.sock
HostPathType:
container-engine-socket-4:
Type: HostPath (bare host directory volume)
Path: /run/crio/crio.sock
HostPathType:
container-engine-socket-5:
Type: HostPath (bare host directory volume)
Path: /run/k3s/containerd/containerd.sock
HostPathType:
specialized-falco-configs:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit:
plugins-install-dir:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit:
rulesfiles-install-dir:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit:
root-falco-fs:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit:
boot-fs:
Type: HostPath (bare host directory volume)
Path: /boot
HostPathType:
lib-modules:
Type: HostPath (bare host directory volume)
Path: /lib/modules
HostPathType:
usr-fs:
Type: HostPath (bare host directory volume)
Path: /usr
HostPathType:
etc-fs:
Type: HostPath (bare host directory volume)
Path: /etc
HostPathType:
proc-fs:
Type: HostPath (bare host directory volume)
Path: /proc
HostPathType:
falcoctl-config-volume:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: falco-falcoctl
Optional: false
falco-yaml:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: falco
Optional: false
kube-api-access-hxs2w:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
Optional: false
DownwardAPI: true
QoS Class: Burstable
Node-Selectors:
Tolerations: node-role.kubernetes.io/control-plane:NoSchedule
node-role.kubernetes.io/master:NoSchedule
node.kubernetes.io/disk-pressure:NoSchedule op=Exists
node.kubernetes.io/memory-pressure:NoSchedule op=Exists
node.kubernetes.io/not-ready:NoExecute op=Exists
node.kubernetes.io/pid-pressure:NoSchedule op=Exists
node.kubernetes.io/unreachable:NoExecute op=Exists
node.kubernetes.io/unschedulable:NoSchedule op=Exists
Events:
Type Reason Age From Message

---

Normal Scheduled 6m4s gke.io/optimize-utilization-scheduler Successfully assigned falcotwo/falco-vlbwl to gke-sre-wcpg-spot-1-1-node-pool-20230-23baa985-kdjc
Normal Pulling 6m4s kubelet Pulling image "docker.io/falcosecurity/falco-driver-loader:0.41.3"
Normal Pulled 5m36s kubelet Successfully pulled image "docker.io/falcosecurity/falco-driver-loader:0.41.3" in 16.285s (28.589s including waiting). Image size: 340852354 bytes.
Normal Created 5m36s kubelet Created container: falco-driver-loader
Normal Started 5m36s kubelet Started container falco-driver-loader
Normal Pulled 5m8s kubelet Container image "docker.io/falcosecurity/falcoctl:0.11.2" already present on machine
Normal Created 5m8s kubelet Created container: falcoctl-artifact-install
Normal Started 5m8s kubelet Started container falcoctl-artifact-install
Normal Created 4m52s kubelet Created container: falcoctl-artifact-follow
Normal Pulled 4m52s kubelet Container image "docker.io/falcosecurity/falcoctl:0.11.2" already present on machine
Normal Started 4m52s kubelet Started container falcoctl-artifact-follow
Warning Unhealthy 79s (x6 over 3m49s) kubelet Liveness probe failed: Get "http://10.128.18.9:8765/healthz": dial tcp 10.128.18.9:8765: connect: connection refused
Normal Killing 79s (x2 over 3m19s) kubelet Container falco failed liveness probe, will be restarted
Normal Created 49s (x3 over 4m52s) kubelet Created container: falco
Normal Started 49s (x3 over 4m52s) kubelet Started container falco
Normal Pulled 49s (x3 over 4m52s) kubelet Container image "docker.io/falcosecurity/falco:0.41.3" already present on machine
Warning Unhealthy 2s (x18 over 4m20s) kubelet Readiness probe failed: Get "http://10.128.18.9:8765/healthz": dial tcp 10.128.18.9:8765: connect: connection refused`

[vinayreddy-guda-exa]

@leogr Falco is up and running now. The pubsub subscription is feeding gke logs to falco using k8saudit-gke plugin. However, redis pod keeps on restarting every couple of hours and the data on sidekickUI interface is dynamic, meaning the data sometimes shows and sometimes there is no data for events and dropdowns for sources, tags etc., Please let me know if I have to customize memory for redis or any other setting. Your recommendations would be highly helpful.

I have updated values.yaml for working setup as attached.

values.yaml

I am using below command to start falco:
helm install falco falcosecurity/falco --namespace falco --create-namespace
-f values.yaml
--set tty=true
--set podPriorityClassName=falco-priority
--set falcosidekick.enabled=true
--set falcosidekick.priorityClassName=falco-priority
--set falcosidekick.webui.enabled=true
--set falcosidekick.webui.priorityClassName=falco-priority
--set falcosidekick.webui.redis.readinessProbe.initialDelaySeconds=30

[leogr]

I have configured k8saudit-gke plugin only. It is failing due to an error.

I meant without the syscall data source 👇

Thu Oct 9 09:31:20 2025: Loaded event sources: syscall, k8s_audit
Thu Oct 9 09:31:20 2025: Enabled event sources: k8s_audit, syscall

Here's an example of how the chart should be configured to use k8saudit only 👇
https://github.com/falcosecurity/charts/blob/master/charts/falco/values-k8saudit.yaml
You should just adapt it to use k8saudit-gke instead.