InternalDeveloperPlatform · olivercodes · Feb 23, 2026 · Feb 13, 2026
diff --git a/workshop/secops/README.md b/workshop/secops/README.md
@@ -73,8 +73,7 @@ helm install falco falcosecurity/falco \
   --namespace falco-system \
   --create-namespace \
   --set driver.kind=modern_ebpf \
-  --set falco.grpc.enabled=true \
-  --set falco.grpcOutput.enabled=true
+  --set falcosidekick.enabled=true
 ```
 
 **Verify Falco Installation**:
@@ -127,8 +126,7 @@ Now let's add custom security rules for detecting specific threats:
 helm upgrade falco falcosecurity/falco \
   --namespace falco-system \
   --set driver.kind=modern_ebpf \
-  --set falco.grpc.enabled=true \
-  --set falco.grpcOutput.enabled=true \
+  --set falcosidekick.enabled=true \
   --set-file customRules."custom_rules\.yaml"=./root-detect-rule.yaml
 ```
 
@@ -153,13 +151,13 @@ Create a security constraint template that works with Falco:
 
 ```bash
 # Apply security constraint template
-kubectl apply -f security-constraint-template.yaml
+kubectl apply -f constraint-template.yaml
 ```
 
 **Verify the template**:
 ```bash
 # Check that security template is created
-kubectl get constrainttemplates | grep -i security
+kubectl get constrainttemplates | grep -i falco
 
 # Should show the new security template
 ```
@@ -176,16 +174,16 @@ Apply the constraint that uses our security template:
 
 ```bash
 # Apply security constraint
-kubectl apply -f security-constraint.yaml
+kubectl apply -f constraint.yaml
 ```
 
 **Verify constraint is enforcing**:
 ```bash
 # Check that constraint exists and is active
-kubectl get constraints | grep -i security
+kubectl get constraints | grep -i falco
 
 # Check constraint status
-kubectl describe constraint <security-constraint-name>
+kubectl describe constraint
 ```
 
 ### Step 6: Test Security Detection and Prevention
@@ -211,18 +209,18 @@ kubectl logs -n falco-system daemonset/falco | tail -20
 **Test 2: Admission Prevention (Gatekeeper)**
 ```bash
 # This should FAIL - blocked by security constraint
-kubectl apply -f deployment-insecure.yaml
+kubectl apply -f deployment.yaml
 
 # Expected error about security policy violations
 ```
 
 **Test 3: Compliant Deployment**
 ```bash
 # This should SUCCEED - meets security requirements
-kubectl apply -f deployment-secure.yaml
+kubectl apply -f deployment-works.yaml
 
 # Verify deployment
-kubectl get deployment secure-app
+kubectl get deployment secure-nonroot-app
 ```
 
 ## ✅ Verification Steps
@@ -245,13 +243,13 @@ kubectl logs -n falco-system daemonset/falco | grep "custom_rules"
 **2. Security Constraints**:
 ```bash
 # Verify security constraint template exists
-kubectl get constrainttemplates | grep -i security
+kubectl get constrainttemplates | grep -i falco
 
 # Verify security constraint is enforcing
-kubectl get constraints | grep -i security
+kubectl get constraints | grep -i falco
 
 # Test constraint enforcement
-kubectl apply -f deployment-insecure.yaml
+kubectl apply -f deployment.yaml
 # Should be blocked with security violations
 ```
 
@@ -263,13 +261,13 @@ kubectl run security-test --image=busybox --rm -it -- sh
 # Check logs: kubectl logs -n falco-system daemonset/falco | tail -5
 
 # Test admission prevention
-kubectl apply -f deployment-insecure.yaml
+kubectl apply -f deployment.yaml
 # Should fail with security policy errors
 
 # Test compliant deployment
-kubectl apply -f deployment-secure.yaml
+kubectl apply -f deployment-works.yaml
 # Should succeed
-kubectl get deployment secure-app
+kubectl get deployment secure-nonroot-app
 ```
 
 ### Success Criteria ✅

diff --git a/workshop/secops/root-detect-rule.yaml b/workshop/secops/root-detect-rule.yaml
@@ -1,53 +1,46 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: falco-root-detection
-  namespace: falco-system
-data:
-  custom_rules.yaml: |
-    # Custom rule to detect containers running as root
-    - rule: Container Running as Root
-      desc: Detect containers that are running with root privileges
-      condition: >
-        spawned_process and
-        container and
-        proc.pname != "pause" and
-        user.uid = 0 and
-        not user_known_root_container_exceptions
-      output: >
-        Container running as root detected (user=%user.name uid=%user.uid command=%proc.cmdline
-        container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
-      priority: WARNING
-      tags: [container, root, security]
+# Custom rule to detect containers running as root
+- rule: Container Running as Root
+  desc: Detect containers that are running with root privileges
+  condition: >
+    spawned_process and
+    container and
+    proc.pname != "pause" and
+    user.uid = 0 and
+    not user_known_root_container_exceptions
+  output: >
+    Container running as root detected (user=%user.name uid=%user.uid command=%proc.cmdline
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority: WARNING
+  tags: [container, root, security]
 
-    # Exception list for legitimate root containers (customize as needed)
-    - list: root_container_exceptions
-      items: [
-        "falco",
-        "node-exporter",
-        "kube-proxy",
-        "calico-node",
-        "flannel"
-      ]
+# Exception list for legitimate root containers (customize as needed)
+- list: root_container_exceptions
+  items: [
+    "falco",
+    "node-exporter",
+    "kube-proxy",
+    "calico-node",
+    "flannel"
+  ]
 
-    # Macro to define exceptions
-    - macro: user_known_root_container_exceptions
-      condition: >
-        (container.image.repository in (root_container_exceptions)) or
-        (k8s.ns.name in ("kube-system", "kube-public", "falco-system"))
+# Macro to define exceptions
+- macro: user_known_root_container_exceptions
+  condition: >
+    (container.image.repository in (root_container_exceptions)) or
+    (k8s.ns.name in ("kube-system", "kube-public", "falco-system"))
 
-    # Additional rule for detecting root process execution in non-system namespaces
-    - rule: Root Process in User Namespace
-      desc: Detect root processes in user namespaces (non-system)
-      condition: >
-        spawned_process and
-        container and
-        user.uid = 0 and
-        not k8s.ns.name in ("kube-system", "kube-public", "falco-system", "default") and
-        not user_known_root_container_exceptions
-      output: >
-        Root process detected in user namespace (user=%user.name uid=%user.uid command=%proc.cmdline
-        container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag
-        namespace=%k8s.ns.name)
-      priority: HIGH
-      tags: [container, root, security, namespace]
+# Additional rule for detecting root process execution in non-system namespaces
+- rule: Root Process in User Namespace
+  desc: Detect root processes in user namespaces (non-system)
+  condition: >
+    spawned_process and
+    container and
+    user.uid = 0 and
+    not k8s.ns.name in ("kube-system", "kube-public", "falco-system", "default") and
+    not user_known_root_container_exceptions
+  output: >
+    Root process detected in user namespace (user=%user.name uid=%user.uid command=%proc.cmdline
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag
+    namespace=%k8s.ns.name)
+  priority: CRITICAL
+  tags: [container, root, security, namespace]