rule(Change thread namespace): fix regression test

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

rules/falco_rules.yaml

@@ -1550,7 +1550,7 @@
     and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc"
     and not proc.cmdline startswith "containerd"
-    and not proc.pname in (sysdigcloud_binaries)
+    and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet)
     and not python_running_sdchecks
     and not java_running_sdjagent
     and not kubelet_running_loopback

test/falco_tests.yaml

@@ -689,7 +689,7 @@ trace_files: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1
 
   disabled_tags_a:
     detect: True

test/falco_traces.yaml.in

@@ -26,7 +26,7 @@ traces: !mux
     detect: True
     detect_level: NOTICE
     detect_counts:
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1
 
   container-privileged:
     trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1
 
   mkdir-binary-dirs:
     trace_file: traces-positive/mkdir-binary-dirs.scap