github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-06 03:16:46 +00:00
Code Issues Projects Releases Wiki Activity

rule(Full K8s... Access): fix users list

Browse Source 
Use the right list name in the rule Full K8s Administrative Access--it
was using the nonexistent list admin_k8s_users, so it was just using the
string "admin_k8s_users".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-10-20 15:10:58 -07:00 committed by poiana
parent c8703b88bf
commit 26f2aaa3eb
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/k8s_audit_rules.yaml
View File

@ -537,7 +537,7 @@
condition: > condition: >
kevt kevt
and non_system_user and non_system_user
and ka.user.name in (admin_k8s_users) and ka.user.name in (full_admin_k8s_users)
and not allowed_full_admin_users and not allowed_full_admin_users
output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING priority: WARNING