rule(Anonymous Request Allowed): exclude {/livez, /readyz}

Fixes #1794. /livez and /readyz don't require authentication and can generate a lot of noise if the cluster is checked by an anonymous external system. Some k8s systems have those endpoints required to be anonymous, as per this [link to an OpenShift setup](http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_api_server_anonymous_auth). Signed-off-by: Sebastien Le Digabel <sledigabel@gmail.com>
2025-08-15 04:43:52 +00:00 · 2022-03-15 12:27:43 +00:00 · 2022-03-15 12:27:43 +00:00 · 2bc4fec33c
commit 2bc4fec33c
parent dbbc93f69d
1 changed files with 7 additions and 2 deletions
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@ -140,6 +140,12 @@
 - macro: health_endpoint
  condition: ka.uri=/healthz

+- macro: live_endpoint
+  condition: ka.uri=/livez
+
+- macro: ready_endpoint
+  condition: ka.uri=/readyz
+
 - rule: Create Disallowed Pod
  desc: >
    Detect an attempt to start a pod with a container image outside of a list of allowed images.
@ -250,7 +256,7 @@
 - rule: Anonymous Request Allowed
  desc: >
    Detect any request made by the anonymous user that was allowed
-  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
+  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint and not live_endpoint and not ready_endpoint
  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
  priority: WARNING
  source: k8s_audit
@ -734,4 +740,3 @@
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
-