diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 914ccb1c..a7a92907 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2641,10 +2641,13 @@
 
 - list: k8s_client_binaries
   items: [docker, kubectl, crictl]
+
+- macro: user_known_k8s_client_container
+  condition: (k8s.ns.name = "kube-system")
   
 - rule: The docker client is executed in a container
   desc: Detect a k8s client tool executed inside a container
-  condition: spawned_process and container and proc.name in (k8s_client_binaries)
+  condition: spawned_process and container and not user_known_k8s_client_container and proc.name in (k8s_client_binaries)
   output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
   priority: WARNING
   tags: [container, mitre_execution]