github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 08:32:12 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro user_known_k8s_ns_kube_system_images): add new macro image name inside kube-system namespace

Browse Source 
Signed-off-by: DingGGu <ggu@dunamu.com>
This commit is contained in:
DingGGu 2020-11-10 16:12:01 +09:00 committed by poiana
parent 4954593261
commit 0b516b7d42
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
rules/falco_rules.yaml
View File

@ -2872,14 +2872,19 @@
- list: k8s_client_binaries - list: k8s_client_binaries
items: [docker, kubectl, crictl] items: [docker, kubectl, crictl]
- macro: user_known_k8s_ns_kube_system_images
condition: >
(
container.image.repository=k8s.gcr.io/fluentd-gcp-scaler or
container.image.repository=k8s.gcr.io/node-problem-detector/node-problem-detector
)
# Whitelist for known docker client binaries run inside container # Whitelist for known docker client binaries run inside container
# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE # - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
- macro: user_known_k8s_client_container - macro: user_known_k8s_client_container
condition: > condition: >
(k8s.ns.name="kube-system" and ( (k8s.ns.name="kube-system" and user_known_k8s_ns_kube_system_images) or
container.image.repository=k8s.gcr.io/fluentd-gcp-scaler or
container.image.repository=k8s.gcr.io/node-problem-detector/node-problem-detector
)) or
container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
- macro: user_known_k8s_client_container_parens - macro: user_known_k8s_client_container_parens