Falco pod initcontainer is not working. curl: (22) The requested URL returned error: 404

Question

I am trying to install falco on my kubernetes cluster with helm chart. I am deploying as Deamonset and using ebpf but getting error on my init containers. What should I do?

This is my values yaml

Answer 1

You are getting this error message due to not having the kernel headers installed so the eBPF driver can be compiled.

Before compiling the eBPF driver, the loader script tries to download it from https://download.falco.org, but it doesn't find it because the Oracle Linux distribution is not officially supported (it is not offered as a prebuilt driver, to be more precise).

The quickest solution would be to install the Kernel Drivers on each Kubernetes node, so Falco can compile the driver the next time it tries to start.

It is also possible to use the project Driverkit to build Falco drivers on your own (as the Falco project does) and make them available somewhere else, but then you'd need to pass the URL for the driver to the Helm Chart. This avoids polluting the system with packages you'd need only once.

You are also welcome to contribute to the project by adding support for the Oracle Linux distribution, which is relatively simple since it is quite similar to the Red Hat distribution. Once it is supported, the drivers will be available to anyone using the same kernel/distribution.

For further information, you can visit the Falco Slack channel and ask for help there, or ping anyone in the community