mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-12 22:18:30 +00:00
rule update: modify rule to detect connection to K8S API Server from a container
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
This commit is contained in:
parent
e893e048a1
commit
fc58ac7356
@ -2240,13 +2240,7 @@
|
||||
tags: [network, container, mitre_discovery]
|
||||
|
||||
|
||||
# In a local/user rules file, you should override this macro with the
|
||||
# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
|
||||
# IP that is not likely to be seen in practice.
|
||||
- macro: k8s_api_server
|
||||
condition: (fd.sip="1.2.3.4" and fd.sport=8080)
|
||||
|
||||
# In a local/user rules file, list the container images that are
|
||||
# In a local/user rules file, list the namespace or container images that are
|
||||
# allowed to contact the K8s API Server from within a container. This
|
||||
# might cover cases where the K8s infrastructure itself is running
|
||||
# within a container.
|
||||
@ -2254,11 +2248,14 @@
|
||||
condition: >
|
||||
(container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
|
||||
gcr.io/google_containers/kube2sky, sysdig/agent, sysdig/falco,
|
||||
sysdig/sysdig))
|
||||
sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
|
||||
|
||||
- macro: k8s_api_server
|
||||
condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
|
||||
|
||||
- rule: Contact K8S API Server From Container
|
||||
desc: Detect attempts to contact the K8S API Server from a container
|
||||
condition: outbound and k8s_api_server and container and not k8s_containers
|
||||
condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) and container and not k8s_containers and k8s_api_server
|
||||
output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
|
||||
priority: NOTICE
|
||||
tags: [network, k8s, container, mitre_discovery]
|
||||
|
Loading…
Reference in New Issue
Block a user