From 48a0f512fb9e5022135ca42040242bef19a98aea Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 30 Jan 2020 17:09:25 -0800 Subject: [PATCH] Let cilium-cni change namespaces Sample Falco alert: ``` Namespace change (setns) by unexpected program (user=root command=cilium-cni parent=cilium-cni host CID2 CID1 image=) ``` Signed-off-by: Mark Stemm --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6dcf7513..beae1603 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1546,7 +1546,7 @@ condition: > evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, - sysdig, nsenter, calico, oci-umount, network_plugin_binaries) + sysdig, nsenter, calico, oci-umount, cilium-cni, network_plugin_binaries) and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name startswith "runc" and not proc.cmdline startswith "containerd"