falco: plugin "k8saudit-eks" No such file or directory. Exiting. issue

Hi, The new plugin “k8saudit-eks” is not working as expected, causing a “CrashLoopBackOff” error with the message “Runtime error: cannot load plugin /usr/share/falco/plugins/libk8saudit-eks.so: can’t load plugin dynamic library: /usr/share/falco/plugins/libk8saudit-eks.so: cannot open shared object file: No such file or directory. Exiting.” when trying to get audit logs from EKS.

The steps to reproduce the bug are as follows:

The configuration file is used. values-falco-syscall-k8saudit.yaml `driver: enabled: false

collectors: enabled: false

controller: kind: deployment

services:

• name: k8saudit-webhook type: NodePort ports:
  • port: 9765 # See plugin open_params nodePort: 30007 protocol: TCP

falco: rules_file: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins:

• name: k8saudit-eks library_path: libk8saudit-eks.so init_config: region: “<<region>>” profile: “default” shift: 10 polling_interval: 10 use_async: false buffer_size: 500 open_params: “<<cluster>>”
• name: json library_path: libjson.so init_config: “” load_plugins: [k8saudit-eks, json]` Run the following command: “sudo helm install --values=values-falco-syscall-k8saudit.yaml --set falcosidekick.enabled=true --set auditLog.enabled=true --namespace falco --create-namespace falco falcosecurity/falco”.

Screenshots

Environment

Falco version: 0.33.1 (x86_64) Cloud provider or hardware configuration: AWS Installation method: Helm

I attempted to retrieve triggered rules using the “k8saudit” plugin. However, the plugin is not functioning as expected for eks environment, and I have not been able to receive events from the audit logs (such as namespace creation, deletion, etc.).

Thanks, Eran