github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 22:16:49 +00:00
Code Issues Projects Releases Wiki Activity

rules(list user_known_sa_list): revert as an empty list for user overwrite

Browse Source 
rules(list known_sa_list): list of known sa moved here from user_known_sa_list

Signed-off-by: Lorenzo Fontana <lo@linux.com>
This commit is contained in:
Lorenzo Fontana 2021-04-07 13:59:42 +02:00 committed by poiana
parent abc79fb548
commit 35fe14e691
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/k8s_audit_rules.yaml
View File

@ -347,12 +347,15 @@
tags: [k8s]
- list: user_known_sa_list
items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
items: []
- list: known_sa_list
items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
"daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
"endpoint-controller"]
- macro: trusted_sa
condition: (ka.target.name in (user_known_sa_list))
condition: (ka.target.name in (known_sa_list, user_known_sa_list))
# Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace