github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-29 03:11:02 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro user_known_k8s_client_container): separate list of k8s images

Browse Source 
Signed-off-by: DingGGu <ggu@dunamu.com>
This commit is contained in:
DingGGu 2020-11-11 13:37:05 +09:00 committed by poiana
parent ec5b42074e
commit 2b2856299c
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -2878,11 +2878,16 @@
k8s.gcr.io/node-problem-detector/node-problem-detector
]
- list: user_known_k8s_images
items: [
mcr.microsoft.com/aks/hcp/hcp-tunnel-front
]
# Whitelist for known docker client binaries run inside container
# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
- macro: user_known_k8s_client_container
condition: >
(k8s.ns.name="kube-system" and container.image.repository in (user_known_k8s_ns_kube_system_images)) or container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
(k8s.ns.name="kube-system" and container.image.repository in (user_known_k8s_ns_kube_system_images)) or container.image.repository in (user_known_k8s_images)
- macro: user_known_k8s_client_container_parens
condition: (user_known_k8s_client_container)