Summary
The Falco Edera plugin (libedera_falco_plugin.so) receives events from an active Edera zone but never registers the zone as "known." Every event produces the warning ignoring event for unknown zone "<uuid>" and all edera_zone source Falco rules are silently skipped. The zone is healthy and running workloads, the plugin just never discovers it.
Impact
Zone-level Falco rules (source: edera_zone) never fire. Host syscall rules (source: syscall) work correctly, the issue is limited to
in-zone detection.
Environment
| Component |
Version / Detail |
| EKS |
Kubernetes v1.34.2-eks-ecaa3a6 |
| Node AMI |
(Amazon Linux 2023.9.20251208) |
| Node kernel |
6.1.159 |
| Instance type |
t3.2xlarge |
| Region |
us-west-2 |
| Container runtime |
containerd 2.1.5 |
| RuntimeClass |
edera (handler: edera) |
| Falco |
0.43.0 (Libs 0.23.1, Plugin API 3.12.0, Engine 0.58.0) |
| Edera plugin |
/var/lib/edera/protect/falco/libedera_falco_plugin.so |
| Edera daemon socket |
/var/lib/edera/protect/daemon.socket |
Zone Pod Under Test
Pod: vllm-server-isolated (Deployment, namespace default)
metadata:
annotations:
dev.edera/kernel: ghcr.io/edera-dev/zone-kernel:6.16
dev.edera/resource-policy: "static"
spec:
runtimeClassName: edera
containers:
- name: vllm
image: python:3.11-slim
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "400Mi"
cpu: "500m"
- name: kernel-observer
image: ...
resources:
requests:
memory: "32Mi"
cpu: "25m"
limits:
memory: "64Mi"
cpu: "100m"Falco Helm Configuration
Deployed via Helm with the following Edera-specific values:
mounts:
volumes:
- name: edera-plugin
hostPath:
path: /var/lib/edera/protect/falco
- name: edera-daemon-socket
hostPath:
path: /var/lib/edera/protect
volumeMounts:
- name: edera-plugin
mountPath: /var/lib/edera/protect/falco
readOnly: true
- name: edera-daemon-socket
mountPath: /var/lib/edera/protect
readOnly: false
falco:
plugins:
- name: edera
library_path: /var/lib/edera/protect/falco/libedera_falco_plugin.so
init_config:
mirror_host_syscalls: true
load_plugins: [edera]Edera Daemon Configuration
From /var/lib/edera/protect/daemon.toml:
[oci]
docker-hub-mirror = "index.docker.io"
[zone]
cache-default-kernel = true
cache-default-initrd = true
memory-limit-mb = 1024
[network]
nameservers = ["1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"]
[network.ipv4]
subnet = "10.75.0.0/16"
[network.ipv6]
subnet = "fdd4:1476:6c7e::/48"
Symptoms
Falco logs are saturated with a single repeating warning (hundreds per second):
Wed Jan 28 22:44:32 2026: [libs]: edera: [WARN] ignoring event for unknown zone "6bbf9d82-6bfe-441e-b625-d9129ee89b6a"
Wed Jan 28 22:44:32 2026: [libs]: edera: [WARN] ignoring event for unknown zone "6bbf9d82-6bfe-441e-b625-d9129ee89b6a"
Wed Jan 28 22:44:32 2026: [libs]: edera: [WARN] ignoring event for unknown zone "6bbf9d82-6bfe-441e-b625-d9129ee89b6a"
... (continuous, every log line)
- No Falco startup lines are visible in
--tail=5000 — the log buffer is entirely consumed by this warning.
- Previous pod logs (
--previous) are not available.
Reproduction Steps
- Deploy Edera Protect on an EKS node (AMI above).
- Install Falco via Helm with the Edera plugin values shown above.
- Deploy a pod with
runtimeClassName: edera and annotation dev.edera/kernel: ghcr.io/edera-dev/zone-kernel:6.16.
- Wait for the pod to reach
Running state.
- Check Falco logs:
kubectl logs -n falco -l app.kubernetes.io/name=falco -c falco --tail=30
- Observe continuous "unknown zone" warnings for the zone UUID.
What Was Tried
- Restarting Falco (
kubectl rollout restart daemonset/falco -n falco) zone remains unknown after restart.
- Deleting and recreating the isolated pod — new pod, same behavior.
- Verified daemon socket present and accessible at
/var/lib/edera/protect/daemon.socket.
- Verified plugin file
libedera_falco_plugin.so exists (5.2 MB) and Falco loads it (confirmed in earlier logs before buffer saturation).
- Verified host syscall detection Falco rules with
source: syscall fire correctly (e.g., Proc Environ Read triggered successfully during demo attack).
Summary
The Falco Edera plugin (
libedera_falco_plugin.so) receives events from an active Edera zone but never registers the zone as "known." Every event produces the warningignoring event for unknown zone "<uuid>"and alledera_zonesource Falco rules are silently skipped. The zone is healthy and running workloads, the plugin just never discovers it.Impact
Zone-level Falco rules (
source: edera_zone) never fire. Host syscall rules (source: syscall) work correctly, the issue is limited toin-zone detection.
Environment
edera(handler:edera)/var/lib/edera/protect/falco/libedera_falco_plugin.so/var/lib/edera/protect/daemon.socketZone Pod Under Test
Pod:
vllm-server-isolated(Deployment, namespacedefault)Falco Helm Configuration
Deployed via Helm with the following Edera-specific values:
Edera Daemon Configuration
From
/var/lib/edera/protect/daemon.toml:Symptoms
Falco logs are saturated with a single repeating warning (hundreds per second):
--tail=5000— the log buffer is entirely consumed by this warning.--previous) are not available.Reproduction Steps
runtimeClassName: ederaand annotationdev.edera/kernel: ghcr.io/edera-dev/zone-kernel:6.16.Runningstate.kubectl logs -n falco -l app.kubernetes.io/name=falco -c falco --tail=30What Was Tried
kubectl rollout restart daemonset/falco -n falco) zone remains unknown after restart./var/lib/edera/protect/daemon.socket.libedera_falco_plugin.soexists (5.2 MB) and Falco loads it (confirmed in earlier logs before buffer saturation).source: syscallfire correctly (e.g.,Proc Environ Readtriggered successfully during demo attack).