From 49545932615e4cacd9dbca4516db4f3a7f7173b9 Mon Sep 17 00:00:00 2001
From: DingGGu <ggu@dunamu.com>
Date: Mon, 9 Nov 2020 11:57:29 +0900
Subject: [PATCH] rule(macro user_known_k8s_client_container): add
 node-problem-detector pattern to avoid false positive

Signed-off-by: DingGGu <ggu@dunamu.com>
---
 rules/falco_rules.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index da1c8b7e..1b2c2669 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2876,7 +2876,10 @@
 # - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
 - macro: user_known_k8s_client_container
   condition: >
-    (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or
+    (k8s.ns.name="kube-system" and (
+      container.image.repository=k8s.gcr.io/fluentd-gcp-scaler or
+      container.image.repository=k8s.gcr.io/node-problem-detector/node-problem-detector
+    )) or
     container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
 
 - macro: user_known_k8s_client_container_parens