From 780129fa1bbde1c577e20be71fd304e524ea7d48 Mon Sep 17 00:00:00 2001
From: Kaizhe Huang <derek0405@gmail.com>
Date: Fri, 7 Jun 2019 12:20:10 -0700
Subject: [PATCH] add exception for coreos/pod-checkpointer

---
 rules/falco_rules.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 8daff3f6..1a74bae8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1054,6 +1054,11 @@
               (container.image.repository contains "rancher/metadata" or container.image.repository contains "rancher/lb-service-haproxy") and
               fd.name startswith "/answers.json")
 
+- macro: checkpoint_writing_state
+  condition: (proc.name=checkpoint and
+              container.image.repository contains "coreos/pod-checkpointer" and
+              fd.name startswith "/etc/kubernetes")
+
 - macro: jboss_in_container_writing_passwd
   condition: >
     ((proc.cmdline="run-java.sh /opt/jboss/container/java/run/run-java.sh"
@@ -1237,6 +1242,7 @@
     and not openshift_writing_conf
     and not keepalived_writing_conf
     and not rancher_writing_conf
+    and not checkpoint_writing_state
     and not jboss_in_container_writing_passwd
     and not etcd_manager_updating_dns