From e44ce9a8d3143702addffe5ed53347c2ef8f8f27 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 20 Sep 2017 18:25:11 -0700
Subject: [PATCH] Add calico/node as a trusted container.

It generally needs to run privileged.
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 4c5c8b6c..0cd22921 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -630,7 +630,8 @@
               container.image startswith sysdig/sysdig or
               container.image startswith gcr.io/google_containers/hyperkube or
               container.image startswith quay.io/coreos/flannel or
-              container.image startswith gcr.io/google_containers/kube-proxy)
+              container.image startswith gcr.io/google_containers/kube-proxy or
+              container.image startswith calico/node)
 
 # These containers are ones that are known to spawn lots of
 # shells. Generally, they are for systems where the container is used