github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-16 07:47:00 +00:00
Code Issues Projects Releases Wiki Activity

remove commercial images to unblock PR

Browse Source 
add endpoint-controller to user_known_sa_list
related event:
    {
        "output": "05:19:25.557989888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=endpoint-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-16T05:19:25.557989888Z",
        "output_fields": {
            "jevt.time": "05:19:25.557989888",
            "ka.target.name": "endpoint-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
This commit is contained in:
ismail yenigul 2021-02-16 08:31:30 +03:00 committed by poiana
parent 2d962dfcb0
commit 37a6caae12
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -1537,7 +1537,6 @@
- [[rancher-bridge], "rancher/network-manager"]
- [[calico-node], "calico/node"]
- [[scope], "weaveworks/scope"]
- [[system-probe], "datadog/agent"]
output: >
Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
@ -1799,7 +1798,7 @@
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
amazon/amazon-ecs-agent, prom/node-exporter, gcr.io/datadoghq/agent, amazon/cloudwatch-agent
amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
]
# These container images are allowed to run with hostnetwork=true
@ -2365,8 +2364,7 @@
gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
sysdig/falco, sysdig/sysdig, falcosecurity/falco, fluent/fluentd-kubernetes-daemonset,
newrelic/infrastructure-k8s, prom/prometheus,
cloudability/metrics-agent) or (k8s.ns.name = "kube-system"))
prom/prometheus) or (k8s.ns.name = "kube-system"))
- macro: k8s_api_server
condition: (fd.sip.name="kubernetes.default.svc.cluster.local")

4
rules/k8s_audit_rules.yaml
View File

@ -347,7 +347,9 @@
tags: [k8s]
- list: user_known_sa_list
items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector", "daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller"]
items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
"daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
"endpoint-controller"]
- macro: trusted_sa
condition: (ka.target.name in (user_known_sa_list))