Motivation

We want to collect prometheus metrics from all servers.

Feature

I noticed the webserver apparently runs as root, under the same process that Falco binary does:

Netstat:

tcp 0 0 0.0.0.0:8765 0.0.0.0:* LISTEN 0 1 426859/falco

PS:

root 426859 0.0 0.7 584040 27648 ? Ssl Jan20 20:19 /usr/bin/falco -o engine.kind=modern_ebpf

Would it be possible to split this responsibility, having a separate webserver process with less privileges than the main Falco process?

Alternatives

Not that im aware of.

Additional context

Separation of concern, least privilege, and other best practices