From 50c6515da5a88465f1b251bb9eab21944c649009 Mon Sep 17 00:00:00 2001
From: Kaizhe Huang <derek0405@gmail.com>
Date: Wed, 30 Jan 2019 14:13:19 -0800
Subject: [PATCH] kh: improve mount on /var/lib/kubelet rule (#509)

---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 52b5d8ec..08b4a1a3 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1428,7 +1428,8 @@
 - macro: sensitive_mount
   condition: (container.mount.dest[/proc*] != "N/A" or
               container.mount.dest[/var/run/docker.sock] != "N/A" or
-              container.mount.dest[/var/lib/kubelet*] != "N/A" or
+              container.mount.dest[/var/lib/kubelet] != "N/A" or
+              container.mount.dest[/var/lib/kubelet/pki] != "N/A" or
               container.mount.dest[/] != "N/A" or
               container.mount.dest[/etc] != "N/A" or
               container.mount.dest[/root*] != "N/A")