github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity

macro(trusted_pod): add new list k8s_image_list

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2020-07-30 16:19:05 -07:00 committed by poiana
parent 0a600253ac
commit e2bf87d207
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/k8s_audit_rules.yaml
View File

@ -232,8 +232,12 @@
- list: user_trusted_image_list
items: []
- list: k8s_image_list
items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck]
- macro: trusted_pod
condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list))
condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or
ka.req.pod.containers.image.repository in (k8s_image_list))
# Detect any new pod created in the kube-system namespace
- rule: Pod Created in Kube Namespace