rule update: modify rule to detect connection to K8S API Server from a container

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

rules/falco_rules.yaml

@@ -2240,13 +2240,7 @@
   tags: [network, container, mitre_discovery]
 
 
-# In a local/user rules file, you should override this macro with the
+# In a local/user rules file, list the namespace or container images that are
-# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
-# IP that is not likely to be seen in practice.
-- macro: k8s_api_server
-  condition: (fd.sip="1.2.3.4" and fd.sport=8080)
-
-# In a local/user rules file, list the container images that are
 # allowed to contact the K8s API Server from within a container. This
 # might cover cases where the K8s infrastructure itself is running
 # within a container.
@@ -2254,11 +2248,14 @@
   condition: >
     (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
      gcr.io/google_containers/kube2sky, sysdig/agent, sysdig/falco,
-     sysdig/sysdig))
+     sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+
+- macro: k8s_api_server
+  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
 
 - rule: Contact K8S API Server From Container
   desc: Detect attempts to contact the K8S API Server from a container
-  condition: outbound and k8s_api_server and container and not k8s_containers
+  condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) and container and not k8s_containers and k8s_api_server
   output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
   priority: NOTICE
   tags: [network, k8s, container, mitre_discovery]