Added eks_allowed_k8s_users list to whitelist EKS users

Signed-off-by: darryk10 <stefano.chierici@sysdig.com> Co-authored-by: Alberto Pellitteri <alberto.pellitteri@sysdig.com>
2025-06-26 06:42:08 +00:00 · 2022-03-25 10:34:47 +01:00 · 2022-03-25 10:34:47 +01:00 · bcff88922a
commit bcff88922a
parent 1988f3b0be
1 changed files with 13 additions and 2 deletions
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@ -51,13 +51,24 @@
    cluster-autoscaler,
    "system:addon-manager",
    "cloud-controller-manager",
-    "eks:node-manager",
    "system:kube-controller-manager"
    ]

+- list: eks_allowed_k8s_users
+  items: [  
+    "eks:node-manager",
+    "eks:certificate-controller", 
+    "eks:fargate-scheduler", 
+    "eks:k8s-metrics",
+    "eks:authenticator",
+    "eks:cluster-event-watcher",
+    "eks:nodewatcher",
+    "eks:pod-identity-mutating-webhook"
+    ]
+-
 - rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.
-  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
+  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit