From b38db994496c7cce305ce59e7dbc34094291e57f Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Thu, 24 Oct 2019 22:47:50 -0700
Subject: [PATCH] rules update: add calico/node to trusted privileged container
 list; add calico_node_write_envvars macro to exception list of write below
 etc

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index ed747609..eff80325 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -898,6 +898,9 @@
 - macro: calico_writing_state
   condition: (proc.name=kube-controller and fd.name startswith /status.json and k8s.pod.name startswith calico)
 
+- macro: calico_writing_envvars
+  condition: (proc.name=start_runit and fd.name startswith "/etc/envvars" and container.image.repository endswith "calico/node")
+
 - list: repository_files
   items: [sources.list]
 
@@ -1251,6 +1254,7 @@
     and not istio_writing_conf
     and not ufw_writing_conf
     and not calico_writing_conf
+    and not calico_writing_envvars
     and not prometheus_conf_writing_conf
     and not openshift_writing_conf
     and not keepalived_writing_conf
@@ -1750,7 +1754,7 @@
 - list: falco_privileged_images
   items: [
     docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
-    gcr.io/google_containers/kube-proxy, docker.io/calico/node,
+    gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
     docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy
     ]