From 26f2aaa3eb6c23aa0a84dfcd58c09cd307f1151e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 20 Oct 2020 15:10:58 -0700 Subject: [PATCH] rule(Full K8s... Access): fix users list Use the right list name in the rule Full K8s Administrative Access--it was using the nonexistent list admin_k8s_users, so it was just using the string "admin_k8s_users". Signed-off-by: Mark Stemm --- rules/k8s_audit_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index 527525f5..bced0a87 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -537,7 +537,7 @@ condition: > kevt and non_system_user - and ka.user.name in (admin_k8s_users) + and ka.user.name in (full_admin_k8s_users) and not allowed_full_admin_users output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) priority: WARNING