Skip to content
hands-on lab

Detect Threats in a Kubernetes Cluster with Falco

Difficulty: Beginner
Duration: Up to 35 minutes
Students: 25
Rating: 5/5
Start lab
On average, students complete this lab in20m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
About
Author

Description

Falco is a cloud-native security tool that leverages custom rules to produce real-time alerting. Falco is designed for Linux systems and utilizes kernel events along with metadata from Kubernetes and containers to improve overall visibility.

This lab focuses on Falco rules. Falco is highlighted as a reference tool in the Certified Kubernetes Security Specialist (CKS) exam. You will learn how to configure a custom rule and how it is outputted in this lab.

Learning objectives

Upon completion of this lab, you will be able to:

  • Activate the Falco service
  • Customize the alerting output of a rule
  • Execute commands to verify the rule is working correctly

Intended audience

  • Candidates for the Certified Kubernetes Security Specialist (CKS) exam
  • DevOps Engineers
  • Security Practitioners

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • Kubernetes Pods
  • kubectl output formatting

The following content can be used to fulfill the prerequisites:

Updates

June 26th, 2025 - Updated to run Kubernetes 1.33

July 13th, 2024 - Updated cluster to Kubernetes 1.30

Environment before

Environment after

Covered topics

Containers
DevOps
Security
Deployment
Compute
Operating System
Kubernetes
Linux
Hands-on Lab UUID

Lab steps

Connecting to the Kubernetes Cluster
Activate Falco
Customize a Falco Rule

Lab Rules