talos-cluster/deployments/security-monitoring/falco-app.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: falco
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: https://falcosecurity.github.io/charts
    chart: falco
    targetRevision: 3.9.0
    helm:
      releaseName: falco
      values: |
        ## Falco configuration
        falco:
          config:
            ## Log output
            json_output: true
            json_include_output_property: true
            ## Log stdout + webhook for Wazuh integration
            programs_output:
              - enabled: true
                keep_alive: false
                executor: /etc/falco/webhook.sh
            file_output:
              - enabled: true
                keep_alive: false
                filename: /var/log/falco/falco.log
            syscall_event_drops:
              enable_outputs: true
              max_percentage_lost: 20.0
              rate: 10
            base_syscalls:
              enable_outputs: false
            buffers_pmem: false
            syscall_buffer_num_pages: 256

          ## Falco host mount
          hostNetwork: true
          hostPID: true
          tolerations:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule
          resources:
            requests:
              cpu: "200m"
              memory: "256Mi"
            limits:
              cpu: "1"
              memory: "512Mi"

  destination:
    server: https://kubernetes.default.svc
    namespace: falco

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true