github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-25 20:30:47 +00:00
Code Issues Projects Releases Wiki Activity

rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe
2020-03-24 12:02:08 -07:00
committed by poiana
parent 4df5fe83be
commit 6834649fa5
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rules/k8s_audit_rules.yaml
View File

@@ -225,7 +225,7 @@
# Detect creating a service account in the kube-system/kube-public namespace # Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace - rule: Service Account Created in Kube Namespace
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace) output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
priority: WARNING priority: WARNING
source: k8s_audit source: k8s_audit