Replacing Falco with an embedded eBPF sensor for Kubernetes runtime enforcement

The post describes a writeup on integrating runtime enforcement into a Kubernetes agent using eBPF instead of deploying Falco. It details the design of syscall tracepoints, in-kernel filtering with BPF maps, and the choice of SIGKILL over BPF LSM for enforcement. The writeup also includes a postmortem from a staging incident where enforcement was not namespace-scoped, leading to disruptions in Harbor, Cilium, and RabbitMQ services.