From ec5b42074eb5f7693ba2d002ae18f910c0374ffa Mon Sep 17 00:00:00 2001
From: DingGGu <ggu@dunamu.com>
Date: Wed, 11 Nov 2020 13:35:04 +0900
Subject: [PATCH] rule(macro user_known_k8s_ns_kube_system_images): add new
 macro image name inside kube-system namespace

Signed-off-by: DingGGu <ggu@dunamu.com>
---
 rules/falco_rules.yaml | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0fdddcd5..6285298d 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2872,20 +2872,17 @@
 - list: k8s_client_binaries
   items: [docker, kubectl, crictl]
 
-- macro: user_known_k8s_ns_kube_system_images
-  condition: >
-    (
-      container.image.repository=k8s.gcr.io/fluentd-gcp-scaler or
-      container.image.repository=k8s.gcr.io/node-problem-detector/node-problem-detector
-    )
-
+- list: user_known_k8s_ns_kube_system_images
+  items: [
+      k8s.gcr.io/fluentd-gcp-scaler,
+      k8s.gcr.io/node-problem-detector/node-problem-detector
+  ]
 
 # Whitelist for known docker client binaries run inside container
 # - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
 - macro: user_known_k8s_client_container
   condition: >
-    (k8s.ns.name="kube-system" and user_known_k8s_ns_kube_system_images) or
-    container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
+    (k8s.ns.name="kube-system" and container.image.repository in (user_known_k8s_ns_kube_system_images)) or container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
 
 - macro: user_known_k8s_client_container_parens
   condition: (user_known_k8s_client_container)