github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity

Rule(Pod Created in Kube Namespace): add images

Browse Source 
Add several images seen in GKE environments that can run in the
kube-system namespace.

Also change the names of the lists to be more specific. The old names
are retained but are kept around for backwards compatibility.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-08-27 18:08:29 -07:00 committed by poiana
parent 3fd4464dee
commit 08d38d8269
1 changed files with 34 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
rules/k8s_audit_rules.yaml
View File

@ -244,20 +244,48 @@
source: k8s_audit source: k8s_audit
tags: [k8s] tags: [k8s]
# Only defined for backwards compatibility. Use the more specific
# user_allowed_kube_namespace_image_list instead.
- list: user_trusted_image_list - list: user_trusted_image_list
items: [] items: []
- list: k8s_image_list - list: user_allowed_kube_namespace_image_list
items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck] items: [user_trusted_image_list]
- macro: trusted_pod # Only defined for backwards compatibility. Use the more specific
condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or # allowed_kube_namespace_image_list instead.
ka.req.pod.containers.image.repository in (k8s_image_list)) - list: k8s_image_list
items: []
- list: allowed_kube_namespace_image_list
items: [
gcr.io/google-containers/prometheus-to-sd,
gcr.io/projectcalico-org/node,
gke.gcr.io/addon-resizer,
gke.gcr.io/heapster,
gke.gcr.io/gke-metadata-server,
k8s.gcr.io/ip-masq-agent-amd64,
k8s.gcr.io/kube-apiserver,
gke.gcr.io/kube-proxy,
gke.gcr.io/netd-amd64,
k8s.gcr.io/addon-resizer
k8s.gcr.io/prometheus-to-sd,
k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
k8s.gcr.io/k8s-dns-kube-dns-amd64,
k8s.gcr.io/k8s-dns-sidecar-amd64,
k8s.gcr.io/metrics-server-amd64,
kope/kube-apiserver-healthcheck,
k8s_image_list
]
- macro: allowed_kube_namespace_pods
condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
# Detect any new pod created in the kube-system namespace # Detect any new pod created in the kube-system namespace
- rule: Pod Created in Kube Namespace - rule: Pod Created in Kube Namespace
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING priority: WARNING
source: k8s_audit source: k8s_audit