Runtime Security Migration Guide
This guide describes how to migrate to the new default runtime security posture in UDS Core, where Falco is the required solution and NeuVector is no longer managed by UDS Core.
UDS Core now:
- Includes Falco by default in the
core-runtime-securitylayer. - Does not manage NeuVector. If you still need NeuVector, deploy it as a standalone package.
Different Scenarios
Section titled “Different Scenarios”-
Falco only (remove legacy NeuVector on upgrade)
- Enable the cleanup gate during runtime-security deploy to remove legacy NeuVector resources (upgrade-only):
- Runtime Security Package:
Terminal window zarf package deploy packages/runtime-security --set CLEANUP_LEGACY_NEUVECTOR=true --confirm - Standard package:
Terminal window zarf package deploy packages/standard --set CLEANUP_LEGACY_NEUVECTOR=true --confirm - Use a uds-config.yaml to set at the bundle level:
variables:core:CLEANUP_LEGACY_NEUVECTOR: "true"
- Runtime Security Package:
- This deletes the legacy
neuvectornamespace and any CRDs whose names containneuvectorif they exist.
- Enable the cleanup gate during runtime-security deploy to remove legacy NeuVector resources (upgrade-only):
-
Falco + NeuVector (keep NeuVector)
- Do NOT enable the cleanup gate.
- Deploy NeuVector as a standalone package and follow its upgrade guidance:
- See: Standalone NeuVector
- Outcome: both Falco and NeuVector run together.
-
NeuVector only (no Falco)
- Omit the
core-runtime-securitylayer and follow the standalone NeuVector guide:- See: Standalone NeuVector
- Omit the