github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-13 14:34:33 +00:00
Code Issues Projects Releases Wiki Activity

rules update: add calico/node to trusted privileged container list; add calico_node_write_envvars macro to exception list of write below etc

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2019-10-24 22:47:50 -07:00 committed by Lorenzo Fontana
parent daec9cb30d
commit b38db99449
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -898,6 +898,9 @@
- macro: calico_writing_state
condition: (proc.name=kube-controller and fd.name startswith /status.json and k8s.pod.name startswith calico)
- macro: calico_writing_envvars
condition: (proc.name=start_runit and fd.name startswith "/etc/envvars" and container.image.repository endswith "calico/node")
- list: repository_files
items: [sources.list]
@ -1251,6 +1254,7 @@
and not istio_writing_conf
and not ufw_writing_conf
and not calico_writing_conf
and not calico_writing_envvars
and not prometheus_conf_writing_conf
and not openshift_writing_conf
and not keepalived_writing_conf
@ -1750,7 +1754,7 @@
- list: falco_privileged_images
items: [
docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy, docker.io/calico/node,
gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy
]