From 511ef52717497a476acfe2ebd9207af7ff1740d5 Mon Sep 17 00:00:00 2001 From: kaizhe Date: Fri, 31 Jul 2020 15:08:00 -0700 Subject: [PATCH] rule (EphemeralContainers Created): add new rule to detect ephemeral container created Signed-off-by: kaizhe --- rules/k8s_audit_rules.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index 872bb7a9..5084a45c 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -217,6 +217,19 @@ source: k8s_audit tags: [k8s] +- macro: user_known_pod_debug_activities + condition: (k8s_audit_never_true) + +# Only works when feature gate EphemeralContainers is enabled +- rule: EphemeralContainers Created + desc: > + Detect any ephemeral container created + condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities + output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image]) + priority: NOTICE + source: k8s_audit + tags: [k8s] + # In a local/user rules fie, you can append to this list to add additional allowed namespaces - list: allowed_namespaces items: [kube-system, kube-public, default]