We are attempting to set up Kubernetes collection on our GKE Cluster using this link:
The installation has been completed but our Falco container is crashing and collection-falco is showing a "CrashLoopBackoff" error in the GKE panel, as below:
The root cause of the issue is that in
falco-overrides.yaml file ebpf package is not enabled.
Google Kubernetes Engine (GKE) uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS.
Because of this security constraint, Falco cannot insert its kernel module to process events for system calls. However, COS provides the ability to leverage eBPF (extended Berkeley Packet Filter) to supply the stream of system calls to the Falco engine. eBPF is currently supported only on GKE and COS. More details here.
GKE, uncomment the following lines in the file