update(rules): move falco_hostnetwork_images list to k8s audit rules

Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2025-07-16 15:51:55 +00:00 · 2021-06-23 18:41:02 +02:00 · 2021-06-23 18:41:02 +02:00 · c705623f9e
commit c705623f9e
parent 3640871725
1 changed files with 13 additions and 0 deletions
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@ -152,6 +152,19 @@
  source: k8s_audit
  tags: [k8s]

+# These container images are allowed to run with hostnetwork=true
+- list: falco_hostnetwork_images
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/typha,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/ip-masq-agent-amd64
+    k8s.gcr.io/prometheus-to-sd,
+    ]
+
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
  desc: Detect an attempt to start a pod using the host network.