chore(rules): Rule exceptions for ibm cloud

Whitelist ibm images for connecting to k8s api server IBM Observability by Sysdig has a vendored sysdig/agent image. IBM's Kubernetes Service ships with an operator manager. Example: 19:12:45.090908160: Notice Unexpected connection to K8s API Server from container (command=catalog -namespace ibm-system -configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1 k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0 image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1 connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0 IBM's Kubernetes service also ships with a metrics collecting agent Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
2025-09-18 07:51:12 +00:00 · 2020-07-31 19:27:33 +00:00
parent 85db1aa997
commit a54f946135
1 changed files with 13 additions and 3 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1799,7 +1799,7 @@
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
    docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
-    amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
+    amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent, falcosecurity/falco
    ]

 # These container images are allowed to run with hostnetwork=true
@@ -2355,6 +2355,13 @@
  tags: [network, container, mitre_discovery]


+# Containers from IBM Cloud
+- list: ibm_cloud_containers
+  items:
+    - icr.io/ext/sysdig/agent
+    - registry.ng.bluemix.net/armada-master/olm
+    - registry.ng.bluemix.net/armada-master/metrics-server-amd64
+
 # In a local/user rules file, list the namespace or container images that are
 # allowed to contact the K8s API Server from within a container. This
 # might cover cases where the K8s infrastructure itself is running
@@ -2364,8 +2371,11 @@
    (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
-     sysdig/falco, sysdig/sysdig, falcosecurity/falco, fluent/fluentd-kubernetes-daemonset, 
-     prom/prometheus) or (k8s.ns.name = "kube-system"))
+     sysdig/falco, sysdig/sysdig, falcosecurity/falco,
+     fluent/fluentd-kubernetes-daemonset, prom/prometheus)
+     or (container.image.repository in (ibm_cloud_containers))
+     or (k8s.ns.name = "kube-system"))
+

 - macro: k8s_api_server
  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")