From 35fe14e69147a246655e67ca30305ad367159ae5 Mon Sep 17 00:00:00 2001
From: Lorenzo Fontana <lo@linux.com>
Date: Wed, 7 Apr 2021 13:59:42 +0200
Subject: [PATCH] rules(list user_known_sa_list): revert as an empty list for
 user overwrite rules(list known_sa_list): list of known sa moved here from
 user_known_sa_list

Signed-off-by: Lorenzo Fontana <lo@linux.com>
---
 rules/k8s_audit_rules.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index 1325f3df..09921a47 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -347,12 +347,15 @@
   tags: [k8s]
 
 - list: user_known_sa_list
-  items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector", 
+  items: []
+
+- list: known_sa_list
+  items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
           "daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
           "endpoint-controller"]
 
 - macro: trusted_sa
-  condition: (ka.target.name in (user_known_sa_list))
+  condition: (ka.target.name in (known_sa_list, user_known_sa_list))
 
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace