Feature Request: Configurable Memory Limit

[shane-lawrence]

Motivation
On some busy nodes, Falco's memory usage exceeds 8 GB. I'm not sure if it's storing a lot of data on pids, threads, fds, sockets, connection state, or what else may be using all of that memory but it takes resources away from other applications. I've been using k8s memory limits to restrict this, but that is enforced through OOMKills. A more graceful way to limit memory usage would be helpful. It would also be great to get a better understanding of what is using up so much memory.

Feature
I would like a configuration setting that limits the amount of memory Falco uses to a specified maximum value and drops state information that exceeds the limit without crashing the process.

Alternatives
If the memory usage was improved more generally on large nodes then I would not have a need for this feature.

Additional context

[FedeDP]

Hi!
In the falco.yaml you can find the falco_libs.thread_table_size key: https://github.com/falcosecurity/falco/blob/master/falco.yaml#L1307.
You can try to play wit hit to limit the amount of threads stored by libs.