Installation in k8s with Helm

How to install Falco Talon in Kubernetes with Helm

Helm

The helm chart is available on the official falcosecurity/charts repository. Two main config files are provided:

values.yaml allows you to configure the static settings of Falcon Talon and its deployment
rules.yaml contains the rules to set

Info

If your values.yaml contains watchRules: true, the changes in the rules are detected and the Falco Talon pods will automatically reload their configuration.

Install

To install Falco Talon, first add the chart repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts

In case you already have the remote repository configured, updated it:

helm repo update falcosecurity

Now, just deploy falcosecurity/falco-talon chart:

helm upgrade --install falco-talon falcosecurity/falco-talon

After deploying, you can check if pods are running properly:

kubectl get pods -n <namespace> | grep falco-talon

Installing as a Falco sub-dependency

To install Talon as a Falco sub-dependency like Sidekick, simply change your Falco values.yaml:

responseActions:
  enabled: true

falco-talon:
  ## example configuration with rulesOverride
  config:
    rulesOverride: |
      - action: Terminate Pod
        actionner: kubernetes:terminate
        parameters:
          ignore_daemonsets: true
          ignore_statefulsets: true
          grace_period_seconds: 20
      - rule: Terminal shell in container
        description: >
          Label the pod outside kube-system and falco namespaces if a shell is started inside
        match:
          rules:
          - Terminal shell in container
          output_fields:
          - k8s.ns.name!=kube-system, k8s.ns.name!=falco
        actions:
          - action: Terminate Pod

OBS: This requires version 6.0.0 at least of Falco chart.

Last modified June 14, 2025: feat: add instructions for deploying Talon as Falco subchart (#20) (2db680d)