I am using the bpf probe for the driver.kind. Started seeing this failure when I upgraded Falco base image from 0.35.1 to 0.36.2. This new version works in a vm environment but fails in our k8s clusters. Is there any reason that the pod needs to be running with the elevated security previlege?
kubectl logs -n falco falco-c5xp9
2023/12/06 20:49:25 Command [/falco-coapp] with parameters [[]] started with PID: 13
2023/12/06 20:49:25 Command [/usr/bin/falco] with parameters [[]] started with PID: 14
Wed Dec 6 20:49:25 2023: 'output.rate' config is deprecated and it will be removed in Falco 0.37
2023-12-06T20:49:25+0000: Falco version: 0.36.2 (aarch64)
2023-12-06T20:49:25+0000: Falco initialized with configuration file: /etc/falco/falco.yaml
2023-12-06T20:49:25+0000: Loading rules from file /etc/falco/falco_heartbeat_rules.yaml
2023-12-06T20:49:25+0000: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
2023-12-06T20:49:25+0000: Loaded event sources: syscall
2023-12-06T20:49:25+0000: Enabled event sources: syscall
2023-12-06T20:49:25+0000: Opening 'syscall' source with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
2023-12-06T20:49:25+0000: An error occurred in an event source, forcing termination...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: failure populating program array: Operation not permitted
2023/12/06 20:49:25 Wait for command [/usr/bin/falco] failed; Error: exit status 1
falco exited
Expecting Falco to startup as it used to be working for 0.35.1 version. Tried to run the 0.36.2 image in the vm set up to make sure it is not something wrong with my configurations in Falco.