Runtime Security

What you’ll accomplish

You’ll verify and tune the HA defaults for Falco and Falcosidekick, ensuring runtime threat detection and alert delivery remain available during node failures or pod rescheduling.

Falco detects runtime threats like unexpected process execution, file access, and network connections. If Falcosidekick — the component responsible for delivering those detections to your SIEM, Alertmanager, or chat integrations — loses a replica, alerts may be delayed or dropped entirely. Ensuring redundancy in the alert delivery path means your security team never misses a detection.

Prerequisites

• UDS CLI installed
• Access to a Kubernetes cluster (multi-node, multi-AZ recommended)

Before you begin

Falco runs as a DaemonSet — one pod per node — so it automatically scales with your cluster. No replica configuration is needed for Falco itself.

Falcosidekick — the component that fans out alerts to your configured destinations — runs with 2 replicas by default for HA.

Steps

1. Tune Falcosidekick replicas and resources

   To adjust the replica count for environments with higher alert volume or stricter delivery requirements:

   uds-bundle.yaml

   packages:
     - name: core
       repository: registry.defenseunicorns.com/public/core
       ref: x.x.x-upstream
       overrides:
         falco:
           falco:
             values:
               # Number of Falcosidekick alert processing replicas
               - path: falcosidekick.replicaCount
                 value: 3
               # Falcosidekick resources (adjust for your environment)
               - path: falcosidekick.resources
                 value:
                   requests:
                     cpu: 100m
                     memory: 128Mi
                   limits:
                     cpu: 200m
                     memory: 256Mi

   Tip

   For most production deployments, the default of 2 replicas is sufficient. Increase only if you are routing alerts to many external destinations simultaneously and observe delivery latency.

   For the full list of Falcosidekick helm values, see the Falcosidekick chart documentation.

2. Tune Falco resources

   Falco’s resource needs depend on the number of syscall events being processed. For nodes with high workload density, increase the default allocation:

   uds-bundle.yaml

   packages:
     - name: core
       repository: registry.defenseunicorns.com/public/core
       ref: x.x.x-upstream
       overrides:
         falco:
           falco:
             values:
               # Falco DaemonSet resources (adjust for your environment)
               - path: resources
                 value:
                   requests:
                     cpu: 100m
                     memory: 512Mi
                   limits:
                     cpu: 1000m
                     memory: 1Gi

   Note

   If you have multiple event sources enabled in Falco, consider increasing the CPU limits. See the Falco chart documentation for the full list of helm values.

3. Create and deploy your bundle

   uds create <path-to-bundle-dir>
   uds deploy uds-bundle-<name>-<arch>-<version>.tar.zst

Verification

# Check Falcosidekick replicas
uds zarf tools kubectl get pods -n falco -l app.kubernetes.io/name=falcosidekick

# Verify Falco DaemonSet coverage (one pod per node)
uds zarf tools kubectl get pods -n falco -l app.kubernetes.io/name=falco -o wide

Success criteria:

• Falcosidekick shows the expected number of replicas (default: 2), all Running
• Falco DaemonSet has one pod per node

Troubleshooting

Problem: Falcosidekick alerts not reaching external destinations

Symptoms: Alerts appear in Falco logs but do not arrive in Slack, SIEM, or other configured destinations.

Solution: Check Falcosidekick logs for delivery errors:

uds zarf tools kubectl logs -n falco -l app.kubernetes.io/name=falcosidekick --tail=50

Common causes include network policies blocking outbound traffic and incorrect webhook URLs.

Related Documentation

• Falco Helm Chart — full list of Falco helm values
• Falcosidekick Helm Chart — full list of Falcosidekick helm values
• Falco: Default Rules Reference — built-in detection rules
• Falco: Outputs and Alerting — how Falco delivers alerts to Falcosidekick and other destinations
• Falcosidekick: Configuration — supported output destinations and tuning options

Next steps

These guides and concepts may be useful to explore next:

Configure HA for Service Mesh Verify Istio control plane resilience and pod distribution across nodes.

Runtime Security concepts Background on how Falco and Falcosidekick work in UDS Core.