From 2bc4fec33c8ad35363e5d6bb750d14954b7490ec Mon Sep 17 00:00:00 2001 From: Sebastien Le Digabel Date: Tue, 15 Mar 2022 12:27:43 +0000 Subject: [PATCH] rule(Anonymous Request Allowed): exclude {/livez, /readyz} Fixes #1794. /livez and /readyz don't require authentication and can generate a lot of noise if the cluster is checked by an anonymous external system. Some k8s systems have those endpoints required to be anonymous, as per this [link to an OpenShift setup](http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_api_server_anonymous_auth). Signed-off-by: Sebastien Le Digabel --- rules/k8s_audit_rules.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index 6d3d9b1c..e758c065 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -140,6 +140,12 @@ - macro: health_endpoint condition: ka.uri=/healthz +- macro: live_endpoint + condition: ka.uri=/livez + +- macro: ready_endpoint + condition: ka.uri=/readyz + - rule: Create Disallowed Pod desc: > Detect an attempt to start a pod with a container image outside of a list of allowed images. @@ -250,7 +256,7 @@ - rule: Anonymous Request Allowed desc: > Detect any request made by the anonymous user that was allowed - condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint + condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint and not live_endpoint and not ready_endpoint output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason)) priority: WARNING source: k8s_audit @@ -734,4 +740,3 @@ priority: WARNING source: k8s_audit tags: [k8s] -