diff --git a/falco/README.md b/falco/README.md index c23fe5343..4b66e4297 100644 --- a/falco/README.md +++ b/falco/README.md @@ -90,7 +90,7 @@ The following table lists the configurable parameters of the Falco chart and the | `ebpf.enabled` | Enable eBPF support for Falco instead of `falco-probe` kernel module | `false` | | `ebpf.path` | Path of the eBPF probe | ` ` | | `ebpf.settings.hostNetwork` | Needed to enable eBPF JIT at runtime for performance reasons | `true` | -| `leastPrivileged.enabled` | Use capabilities instead of running a privileged container | `false` | +| `leastPrivileged.enabled` | Use capabilities instead of running a privileged container. The kernel module driver can not be loaded if enabled. | `false` | | `auditLog.enabled` | Enable K8s audit log support for Falco | `false` | | `auditLog.dynamicBackend.enabled` | Deploy the Audit Sink where Falco listens for K8s audit log events | `false` | | `auditLog.dynamicBackend.url` | Define if Audit Sink client config should point to a fixed [url](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#url) (useful for development) instead of the default webserver service. | `` | diff --git a/falco/values.yaml b/falco/values.yaml index 40cfa13ca..a7c1b5343 100644 --- a/falco/values.yaml +++ b/falco/values.yaml @@ -118,6 +118,8 @@ ebpf: leastPrivileged: # Constrain Falco with capabilities instead of running a privileged container. # When used in conjunction with the eBPF driver, a kernel >= 5.8 is required. + # Loading the kernel module driver does NOT work with leastPrivileged.enabled. + # Ensure the module is already loaded, or the eBPF driver is enabled. enabled: false auditLog: