From 7666bc3f3adb0bcc0aeee8edee3d14df98787e5d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 27 Aug 2020 18:10:41 -0700 Subject: [PATCH] rule(System ClusterRole Modified/Deleted): + role Add system:managed-certificate-controller as a system role that can be modified. Can be changed as a part of upgrades. Signed-off-by: Mark Stemm --- rules/k8s_audit_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index cb975ef9..ddef9093 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -311,7 +311,8 @@ # normal operation. - rule: System ClusterRole Modified/Deleted desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system - condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns" + condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and + not ka.target.name in (system:coredns, system:managed-certificate-controller) output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb) priority: WARNING source: k8s_audit