Introduction
As Kubernetes environments grow, it becomes harder to understand what workloads actually do at runtime. Scans and admission controls validate configurations, but not how applications behave once they are running.
On Oracle Container Engine for Kubernetes (OKE), where workloads scale quickly and teams deploy independently, runtime visibility becomes essential.
Falco fills this gap by monitoring system calls in real time and alerting you when containers behave unexpectedly – spawning shells, modifying files, or making unusual network connections.
Runtime Security with Falco
In OKE, workloads move fast. Even when the cluster looks healthy, containers may perform actions that CI/CD pipelines never detect:
– a container launches an unexpected interactive shell
– a process accesses sensitive system files
– a workload connects to an unknown external IP
– a script modifies files inside the container
– a pod runs binaries not included in its image
– etc.
Falco detects these behaviors as they occur. Running as DaemonSet on OKE worker nodes, it provides continuous runtime awareness without requiring changes to your applications.
Examples in Practice
Shells spawned inside containers
Why Falco Matters
- Real-time detection -> immediate alerts when workloads behave outside expectations.
- Improved visibility -> clear insight into system calls, file activity, and network actions.
- Lower operational risk -> issues are detected early, before they escalate.
- Integration with OCI -> Falco events can be forwarded through Sidekick to OCI Logging, Notifications, etc.
- Support for developers -> Falco observes runtime behavior automatically — no extra instrumentation needed.
Falco Sidekick and UI
Falco Sidekick forwards events to destinations such as OCI Logging, Slack, Elasticsearch, S3, Datadog, and more.
It also includes Falco Sidekick UI, a lightweight interface for viewing, searching, and filtering alerts. In OKE, this creates a simple pipeline: Falco → Sidekick → Sidekick UI / Logging / Notifications → Response .
How to Get Started
We provide a simple automation that deploys an OKE cluster with Falco, Falco Sidekick, and Sidekick UI preinstalled.
Using the Resource Manager stack in the repository, you can:
– deploy OKE with Falco in minutes,
– trigger runtime behaviors to test detections,
– view alerts directly in the Sidekick UI.
The README file includes sample tests for generating Falco alerts and exploring how everything works on OKE.
Conclusion
Falco gives OKE clusters the runtime visibility that static checks can’t provide. With real-time alerts, Sidekick integrations, and a simple UI, it becomes easy to see when containers behave unexpectedly. It installs cleanly as a DaemonSet and works without changing your workloads, making it a practical way to strengthen security and detect issues early.