rule(macro user_known_k8s_ns_kube_system_images): add new macro image name inside kube-system namespace

Signed-off-by: DingGGu <ggu@dunamu.com>
2025-06-30 00:22:15 +00:00 · 2020-11-10 16:12:01 +09:00 · 2020-11-10 16:12:01 +09:00 · 0b516b7d42
commit 0b516b7d42
parent 4954593261
1 changed files with 9 additions and 4 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -2872,14 +2872,19 @@
 - list: k8s_client_binaries
  items: [docker, kubectl, crictl]

+- macro: user_known_k8s_ns_kube_system_images
+  condition: >
+    (
+      container.image.repository=k8s.gcr.io/fluentd-gcp-scaler or
+      container.image.repository=k8s.gcr.io/node-problem-detector/node-problem-detector
+    )
+
+
 # Whitelist for known docker client binaries run inside container
 # - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
 - macro: user_known_k8s_client_container
  condition: >
-    (k8s.ns.name="kube-system" and (
-      container.image.repository=k8s.gcr.io/fluentd-gcp-scaler or
-      container.image.repository=k8s.gcr.io/node-problem-detector/node-problem-detector
-    )) or
+    (k8s.ns.name="kube-system" and user_known_k8s_ns_kube_system_images) or
    container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front

 - macro: user_known_k8s_client_container_parens