From 959811a503d937ac3c20ce459078a84f07edfa7a Mon Sep 17 00:00:00 2001
From: ismail yenigul <ismailyenigul@gmail.com>
Date: Tue, 26 Jan 2021 14:25:51 +0300
Subject: [PATCH] add eks:node-manager to allowed_k8s_users list

eks:node-manager  is an Amazon EKS internal service role that performs specific operations for managed node groups and Fargate.
Reference: https://github.com/awsdocs/amazon-eks-user-guide/blob/master/doc_source/logging-monitoring.md
Related falco log

```
{"output":"10:56:31.181308928: Warning K8s Operation performed by user not in allowed list of users
 (user=eks:node-manager target=aws-auth/configmaps verb=get uri=/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s resp=200)","priority":"Warning","rule":"Disallowed K8s User","time":"2021-01-26T10:56:31.181308928Z", "output_fields":
{"jevt.time":"10:56:31.181308928","ka.response.code":"200","ka.target.name":"aws-auth","ka.target.resource":"configmaps","ka.uri":"/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s","ka.user.name":"eks:node-manager","ka.verb":"get"}}
```

Signed-off-by: ismailyenigul <ismailyenigul@gmail.com>
---
 rules/k8s_audit_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index 5a76e3cf..2af7b564 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -50,7 +50,8 @@
     vertical_pod_autoscaler_users,
     cluster-autoscaler,
     "system:addon-manager",
-    "cloud-controller-manager"
+    "cloud-controller-manager",
+    "eks:node-manager"
     ]
 
 - rule: Disallowed K8s User