github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-10 05:03:37 +00:00
Code Issues Projects Releases Wiki Activity

add eks:node-manager to allowed_k8s_users list

Browse Source 
eks:node-manager  is an Amazon EKS internal service role that performs specific operations for managed node groups and Fargate.
Reference: https://github.com/awsdocs/amazon-eks-user-guide/blob/master/doc_source/logging-monitoring.md
Related falco log

```
{"output":"10:56:31.181308928: Warning K8s Operation performed by user not in allowed list of users
 (user=eks:node-manager target=aws-auth/configmaps verb=get uri=/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s resp=200)","priority":"Warning","rule":"Disallowed K8s User","time":"2021-01-26T10:56:31.181308928Z", "output_fields":
{"jevt.time":"10:56:31.181308928","ka.response.code":"200","ka.target.name":"aws-auth","ka.target.resource":"configmaps","ka.uri":"/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s","ka.user.name":"eks:node-manager","ka.verb":"get"}}
```

Signed-off-by: ismailyenigul <ismailyenigul@gmail.com>
This commit is contained in:
ismail yenigul 2021-01-26 14:25:51 +03:00 committed by poiana
parent 19fe7240e2
commit 959811a503
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/k8s_audit_rules.yaml
View File

@ -50,7 +50,8 @@
vertical_pod_autoscaler_users,
cluster-autoscaler,
"system:addon-manager",
"cloud-controller-manager"
"cloud-controller-manager",
"eks:node-manager"
]
- rule: Disallowed K8s User