From c705623f9e20ee56b9635f80ff7b20d4767a9d50 Mon Sep 17 00:00:00 2001
From: Leonardo Di Donato <leodidonato@gmail.com>
Date: Wed, 23 Jun 2021 18:41:02 +0200
Subject: [PATCH] update(rules): move falco_hostnetwork_images list to k8s
 audit rules

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
---
 rules/k8s_audit_rules.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index 71af78b3..73611abf 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -152,6 +152,19 @@
   source: k8s_audit
   tags: [k8s]
 
+# These container images are allowed to run with hostnetwork=true
+- list: falco_hostnetwork_images
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/typha,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/ip-masq-agent-amd64
+    k8s.gcr.io/prometheus-to-sd,
+    ]
+
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.