update(changelog): added 0.32.0 release notes.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
update(build): updated plugins to latest versions.
2026-03-27 23:22:16 +00:00 · 2022-06-03 10:29:43 +02:00 · 2022-06-01 14:50:38 +02:00 · 2022-06-01 13:35:38 +02:00 · 2022-05-31 18:12:09 +02:00 · 2022-05-30 13:08:40 +02:00
169 changed files with 4288 additions and 5500 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -48,134 +48,6 @@ jobs:
          paths:
            - build-static/release
            - source-static
-  # Build the minimal Falco
-  # This build only contains the Falco engine and the basic input/output.
-  "build/minimal":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build-minimal
-            pushd build-minimal
-            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build-minimal
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build-minimal
-            make tests
-            popd
-  # Build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-focal":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-focal-debug":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Build using Ubuntu Bionic Beaver (18.04)
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/ubuntu-bionic":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic pkg-config autoconf libtool libelf-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
  # Build using our own builder base image using centos 7
  # This build is static, dependencies are bundled in the Falco binary
  "build/centos7":
@@ -213,28 +85,6 @@ jobs:
      - store_artifacts:
          path: /tmp/packages
          destination: /packages
-  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/centos7-debug":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "debug"
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
  # Execute integration tests based on the build results coming from the "build/centos7" job
  "tests/integration":
    docker:
@@ -594,12 +444,7 @@ workflows:
  build_and_test:
    jobs:
      - "build/musl"
-      - "build/minimal"
-      - "build/ubuntu-focal"
-      - "build/ubuntu-focal-debug"
-      - "build/ubuntu-bionic"
      - "build/centos7"
-      - "build/centos7-debug"
      - "tests/integration":
          requires:
            - "build/centos7"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,170 @@
+name: CI Build
+on:
+  pull_request:
+    branches: [master]
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+jobs:
+  build-minimal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build-minimal
+          pushd build-minimal
+          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build-minimal
+          make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build-minimal
+          make tests
+          popd
+
+  build-ubuntu-focal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-ubuntu-focal-debug:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-ubuntu-bionic:
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-$(uname -r) pkg-config autoconf libtool libelf-dev -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-centos7-debug:
+    runs-on: ubuntu-latest
+    container:
+      image: falcosecurity/falco-builder:latest
+      env:
+        BUILD_TYPE: "debug"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          path: falco
+
+      - name: Link falco repo to /source/falco
+        run: |
+          mkdir -p /source
+          ln -s "$GITHUB_WORKSPACE/falco" /source/falco
+  
+      - name: Prepare project
+        run: /usr/bin/entrypoint cmake
+
+      - name: Build
+        run: /usr/bin/entrypoint all
+
+      - name: Run unit tests
+        run: /usr/bin/entrypoint tests
+
+      - name: Build packages
+        run: /usr/bin/entrypoint package
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,90 @@
 # Change Log

+## v0.32.0
+
+Released on 2022-06-03
+
+### Major Changes
+
+
+* new: added new `watch_config_files` config option, to trigger a Falco restart whenever a change is detected in the rules or config files [[#1991](https://github.com/falcosecurity/falco/pull/1991)] - [@FedeDP](https://github.com/FedeDP)
+* new(rules): add rule to detect excessively capable container [[#1963](https://github.com/falcosecurity/falco/pull/1963)] - [@loresuso](https://github.com/loresuso)
+* new(rules): add rules to detect pods sharing host pid and IPC namespaces [[#1951](https://github.com/falcosecurity/falco/pull/1951)] - [@loresuso](https://github.com/loresuso)
+* new(image): add Falco image based on RedHat UBI [[#1943](https://github.com/falcosecurity/falco/pull/1943)] - [@araujof](https://github.com/araujof)
+* new(falco): add --markdown and --list-syscall-events [[#1939](https://github.com/falcosecurity/falco/pull/1939)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Minor Changes
+
+* update(build): updated plugins to latest versions. [[#2033](https://github.com/falcosecurity/falco/pull/2033)] - [@FedeDP](https://github.com/FedeDP)
+* refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [[#1953](https://github.com/falcosecurity/falco/pull/1953)] - [@mstemm](https://github.com/mstemm)
+* rules: out of the box ruleset for OKTA Falco Plugin [[#1955](https://github.com/falcosecurity/falco/pull/1955)] - [@darryk10](https://github.com/darryk10)
+* update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [[#2031](https://github.com/falcosecurity/falco/pull/2031)] - [@FedeDP](https://github.com/FedeDP)
+* update!: moving out plugins ruleset files [[#1995](https://github.com/falcosecurity/falco/pull/1995)] - [@leogr](https://github.com/leogr)
+* update: added `hostname` as a field in JSON output [[#1989](https://github.com/falcosecurity/falco/pull/1989)] - [@Milkshak3s](https://github.com/Milkshak3s)
+* refactor!: remove K8S audit logs from Falco [[#1952](https://github.com/falcosecurity/falco/pull/1952)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [[#1975](https://github.com/falcosecurity/falco/pull/1975)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor!: deprecate PSP regression tests and warn for unsafe usage of <NA> in k8s audit filters [[#1976](https://github.com/falcosecurity/falco/pull/1976)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build(cmake): upgrade catch2 to 2.13.9 [[#1977](https://github.com/falcosecurity/falco/pull/1977)] - [@leogr](https://github.com/leogr)
+* refactor(userspace/engine): reduce memory usage for resolving evttypes [[#1965](https://github.com/falcosecurity/falco/pull/1965)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [[#1966](https://github.com/falcosecurity/falco/pull/1966)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [[#1970](https://github.com/falcosecurity/falco/pull/1970)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor: update definitions of falco_common [[#1967](https://github.com/falcosecurity/falco/pull/1967)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: improved Falco engine event processing performance [[#1944](https://github.com/falcosecurity/falco/pull/1944)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [[#1947](https://github.com/falcosecurity/falco/pull/1947)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [[#1920](https://github.com/falcosecurity/falco/pull/1920)] - [@mstemm](https://github.com/mstemm)
+* fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [[#2019](https://github.com/falcosecurity/falco/pull/2019)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Rule Changes
+
+* rule(Launch Excessively Capable Container): fix typo in description [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro: known_shell_spawn_cmdlines): add `sh -c /usr/share/lighttpd/create-mime.conf.pl` to macro [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro net_miner_pool): additional syscall for detection [[#2011](https://github.com/falcosecurity/falco/pull/2011)] - [@beryxz](https://github.com/beryxz)
+* rule(macro truncate_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(macro modify_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [[#1969](https://github.com/falcosecurity/falco/pull/1969)] - [@darryk10](https://github.com/darryk10)
+* rule(k8s: secret): detect `get` attempts for both successful and unsuccessful attempts [[#1949](https://github.com/falcosecurity/falco/pull/1949)] - [@Dentrax](https://github.com/Dentrax)
+* rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [[#1973](https://github.com/falcosecurity/falco/pull/1973)] - [@darryk10](https://github.com/darryk10)
+* rule(Disallowed K8s User): exclude allowed EKS users [[#1960](https://github.com/falcosecurity/falco/pull/1960)] - [@darryk10](https://github.com/darryk10)
+* rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [[#1968](https://github.com/falcosecurity/falco/pull/1968)] - [@darryk10](https://github.com/darryk10)
+* rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [[#1930](https://github.com/falcosecurity/falco/pull/1930)] - [@mmoyerfigma](https://github.com/mmoyerfigma)
+* rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [[#1938](https://github.com/falcosecurity/falco/pull/1938)] - [@claudio-vellage](https://github.com/claudio-vellage)
+
+
+### Non user-facing changes
+
+* new: update plugins [[#2023](https://github.com/falcosecurity/falco/pull/2023)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs version for Falco 0.32.0 release. [[#2022](https://github.com/falcosecurity/falco/pull/2022)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [[#2024](https://github.com/falcosecurity/falco/pull/2024)] - [@FedeDP](https://github.com/FedeDP)
+* chore(userspace/falco): do not print error code in process_events.cpp [[#2030](https://github.com/falcosecurity/falco/pull/2030)] - [@alacuku](https://github.com/alacuku)
+* fix(falco-scripts): remove driver versions with `dkms-3.0.3` [[#2027](https://github.com/falcosecurity/falco/pull/2027)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(userspace/falco): fix punctuation typo in output message when loading plugins [[#2026](https://github.com/falcosecurity/falco/pull/2026)] - [@alacuku](https://github.com/alacuku)
+* refactor(userspace): change falco engine design to properly support multiple sources [[#2017](https://github.com/falcosecurity/falco/pull/2017)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): improve falco termination [[#2012](https://github.com/falcosecurity/falco/pull/2012)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/engine): introduce new `check_plugin_requirements` API [[#2009](https://github.com/falcosecurity/falco/pull/2009)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): improve rule loader source checks [[#2010](https://github.com/falcosecurity/falco/pull/2010)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix: split filterchecks per source-idx [[#1999](https://github.com/falcosecurity/falco/pull/1999)] - [@FedeDP](https://github.com/FedeDP)
+* new: port CI builds to github actions [[#2000](https://github.com/falcosecurity/falco/pull/2000)] - [@FedeDP](https://github.com/FedeDP)
+* build(userspace/engine): cleanup unused include dir [[#1987](https://github.com/falcosecurity/falco/pull/1987)] - [@leogr](https://github.com/leogr)
+* rule(Anonymous Request Allowed): exclude {/livez, /readyz} [[#1954](https://github.com/falcosecurity/falco/pull/1954)] - [@sledigabel](https://github.com/sledigabel)
+* chore(falco_scripts): Update `falco-driver-loader` cleaning phase [[#1950](https://github.com/falcosecurity/falco/pull/1950)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): use new plugin caps API [[#1982](https://github.com/falcosecurity/falco/pull/1982)] - [@FedeDP](https://github.com/FedeDP)
+* build: correct conffiles for DEB packages [[#1980](https://github.com/falcosecurity/falco/pull/1980)] - [@leogr](https://github.com/leogr)
+* Fix exception parsing regressions [[#1985](https://github.com/falcosecurity/falco/pull/1985)] - [@mstemm](https://github.com/mstemm)
+* Add codespell GitHub Action [[#1962](https://github.com/falcosecurity/falco/pull/1962)] - [@invidian](https://github.com/invidian)
+* build: components opt-in mechanism for packages [[#1979](https://github.com/falcosecurity/falco/pull/1979)] - [@leogr](https://github.com/leogr)
+* add gVisor to ADOPTERS.md [[#1974](https://github.com/falcosecurity/falco/pull/1974)] - [@kevinGC](https://github.com/kevinGC)
+* rules: whitelist GCP's container threat detection image [[#1959](https://github.com/falcosecurity/falco/pull/1959)] - [@clmssz](https://github.com/clmssz)
+* Fix some typos [[#1961](https://github.com/falcosecurity/falco/pull/1961)] - [@invidian](https://github.com/invidian)
+* chore(rules): remove leftover [[#1958](https://github.com/falcosecurity/falco/pull/1958)] - [@leogr](https://github.com/leogr)
+* docs: readme update and plugins [[#1940](https://github.com/falcosecurity/falco/pull/1940)] - [@leogr](https://github.com/leogr)
+
+
 ## v0.31.1

 Released on 2022-03-09
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -102,6 +102,11 @@ set(PACKAGE_NAME "falco")
 set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")
+
+if(NOT DEFINED FALCO_COMPONENT_NAME)
+    set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
+endif()
+
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
  set(CMAKE_INSTALL_PREFIX
      /usr
@@ -143,8 +148,8 @@ if(NOT MINIMAL_BUILD)
  # libcurl
  include(curl)

-  # civetweb
-  include(civetweb)
+  # cpp-httlib
+  include(cpp-httplib)
 endif()

 include(cxxopts)
@@ -164,7 +169,7 @@ if(NOT MINIMAL_BUILD)
 endif()

 # Installation
-install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
+install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")

 if(NOT MINIMAL_BUILD)
  # Coverage
--- a/cmake/cpack/debian/conffiles
+++ b/cmake/cpack/debian/conffiles
@@ -1,4 +1,3 @@
 /etc/falco/falco.yaml
-/etc/falco/falco_rules.yaml
 /etc/falco/rules.available/application_rules.yaml
 /etc/falco/falco_rules.local.yaml
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,6 +25,17 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")

+# Built packages will include only the following components
+set(CPACK_INSTALL_CMAKE_PROJECTS
+  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
+  "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+)
+if(NOT MUSL_OPTIMIZED_BUILD) # static builds do not have plugins
+  list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
+    "${CMAKE_CURRENT_BINARY_DIR};${PLUGINS_COMPONENT_NAME};${PLUGINS_COMPONENT_NAME};/"
+  )
+endif()
+
 if(NOT CPACK_GENERATOR)
    set(CPACK_GENERATOR DEB RPM TGZ)
 endif()
--- a/cmake/modules/civetweb.cmake
+++ b/cmake/modules/civetweb.cmake
@@ -1,53 +0,0 @@
-#
-# Copyright (C) 2021 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-SET(CIVETWEB_CPP_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb-cpp.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-if (USE_BUNDLED_OPENSSL)
-    ExternalProject_Add(
-            civetweb
-            DEPENDS openssl
-            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
-            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
-            INSTALL_DIR ${CIVETWEB_SRC}/install
-            CMAKE_ARGS
-            -DBUILD_TESTING=off
-            -DCMAKE_INSTALL_LIBDIR=lib
-            -DCIVETWEB_BUILD_TESTING=off
-            -DCIVETWEB_ENABLE_CXX=on
-            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
-            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
-            -DCIVETWEB_SERVE_NO_FILES=on
-            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
-            -DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-            -DOPENSSL_USE_STATIC_LIBS:BOOL=TRUE
-            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
-else()
-    ExternalProject_Add(
-            civetweb
-            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
-            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
-            INSTALL_DIR ${CIVETWEB_SRC}/install
-            CMAKE_ARGS
-            -DBUILD_TESTING=off
-            -DCIVETWEB_BUILD_TESTING=off
-            -DCIVETWEB_ENABLE_CXX=on
-            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
-            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
-            -DCIVETWEB_SERVE_NO_FILES=on
-            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
-            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
-endif()
--- a/cmake/modules/cpp-httplib.cmake
+++ b/cmake/modules/cpp-httplib.cmake
@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+#
+# cpp-httplib (https://github.com/yhirose/cpp-httplib)
+#
+if(CPPHTTPLIB_INCLUDE)
+	# we already have cpp-httplib
+else()
+	set(CPPHTTPLIB_SRC "${PROJECT_BINARY_DIR}/cpp-httplib-prefix/src/cpp-httplib")
+	set(CPPHTTPLIB_INCLUDE "${CPPHTTPLIB_SRC}")
+
+	message(STATUS "Using bundled cpp-httplib in '${CPPHTTPLIB_SRC}'")
+
+	ExternalProject_Add(cpp-httplib
+		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
+		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz"
+		URL_HASH "SHA256=7719ff9f309c807dd8a574048764836b6a12bcb7d6ae9e129e7e4289cfdb4bd4"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND "")	
+endif()
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@@ -24,8 +24,8 @@ else()
  # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
  # -DFALCOSECURITY_LIBS_VERSION=dev ..`
  if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "b19f87e8aee663e4987a3db54570725e071ed105")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=fd5888588796bf52848cf75434784770e61d9a79f344bf571fe495b61e92ddd3")
+    set(FALCOSECURITY_LIBS_VERSION "39ae7d40496793cf3d3e7890c9bbdc202263836b")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b9034baeff4518b044574956f5768fac080c269bacad4a1e17a7f6fdb872ce66")
  endif()

  # cd /path/to/build && cmake /path/to/source
@@ -41,6 +41,8 @@ else()
  set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
 endif()

+set(LIBS_PACKAGE_NAME "falcosecurity")
+
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
 if(MUSL_OPTIMIZED_BUILD)
@@ -50,6 +52,7 @@ endif()
 set(DRIVER_VERSION "${FALCOSECURITY_LIBS_VERSION}")
 set(DRIVER_NAME "falco")
 set(DRIVER_PACKAGE_NAME "falco")
+set(DRIVER_COMPONENT_NAME "falco-driver")
 set(SCAP_BPF_PROBE_ENV_VAR_NAME "FALCO_BPF_PROBE")
 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")

--- a/cmake/modules/plugins.cmake
+++ b/cmake/modules/plugins.cmake
@@ -15,26 +15,77 @@ include(ExternalProject)

 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)

-# todo(jasondellaluce): switch this to a stable version once this plugin gets
-# released with a 1.0.0 required plugin api version
+if(NOT DEFINED PLUGINS_COMPONENT_NAME)
+    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
+endif()
+
+set(PLUGIN_K8S_AUDIT_VERSION "0.2.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_K8S_AUDIT_HASH "8e61952eefae9e3f8906336a11c9cc3919c7fed7efa24132426b3a789f5e60d8")
+else() # aarch64
+    set(PLUGIN_K8S_AUDIT_HASH "24631e21cf5626b15fe16045068200ee9924ea64c009d9d51f5a28035ec0730d")
+endif()
+
+ExternalProject_Add(
+  k8saudit-plugin
+  URL "https://download.falco.org/plugins/stable/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  k8saudit-rules
+  URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
+  URL_HASH "SHA256=301183e8aab6964cf2b2f5946225f571d176e68093026ec45d17249b78b7021e"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+set(PLUGIN_CLOUDTRAIL_VERSION "0.4.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_CLOUDTRAIL_HASH "e7327046c49097b01a6b7abbf18e31584c1ef62e6ba9bf14ead0badccde9a87c")
+else() # aarch64
+    set(PLUGIN_CLOUDTRAIL_HASH "6a0dff848179e397f25ee7e6455cb108a6ec5811acaac42d718e49e0dcdd9722")
+endif()
+
 ExternalProject_Add(
  cloudtrail-plugin
-  URL "https://download.falco.org/plugins/dev/cloudtrail-0.2.5-0.2.5-8%2B2c1bb25-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=eeefbeb639e41e37cd864042d8b4854e0af451e6b8b34a14c39332771e94ee5b"
+  URL "https://download.falco.org/plugins/stable/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

-install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  cloudtrail-rules
+  URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
+  URL_HASH "SHA256=1ed9a72a2bc8cdf7c024cc5e383672eea2d2ebd8ffa78fa2117284bc65e99849"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+  install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+set(PLUGIN_JSON_VERSION "0.4.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_JSON_HASH "f6acc12e695f9a05602dc941c64ca7749604be72a4e24cb179133e3513c5fac6")
+else() # aarch64
+    set(PLUGIN_JSON_HASH "da96a4ca158d0ea7a030d2b7c2a13d018e96a9e3f7fea2c399f85fd2bdd0827a")
+endif()

-# todo(jasondellaluce): switch this to a stable version once this plugin gets
-# released with a 1.0.0 required plugin api version
 ExternalProject_Add(
  json-plugin
-  URL "https://download.falco.org/plugins/dev/json-0.2.2-0.2.2-24%2B2c1bb25-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=181ac01d11defee24ad5947fcd836e256e13c61ca9475253fb82b60297164748"
+  URL "https://download.falco.org/plugins/stable/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

-install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
--- a/falco.yaml
+++ b/falco.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -30,10 +30,8 @@
 rules_file:
  - /etc/falco/falco_rules.yaml
  - /etc/falco/falco_rules.local.yaml
-  - /etc/falco/k8s_audit_rules.yaml
  - /etc/falco/rules.d

-
 #
 # Plugins that are available for use. These plugins are not loaded by
 # default, as they require explicit configuration to point to
@@ -44,6 +42,13 @@ rules_file:
 # init_config/open_params for the cloudtrail plugin, see the README at
 # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
 plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config:
+      ""
+      # maxEventBytes: 1048576
+      # sslCertificate: /etc/falco/falco.pem
+    open_params: "http://:9765/k8s-audit"
  - name: cloudtrail
    library_path: libcloudtrail.so
    init_config: ""
@@ -59,6 +64,11 @@ plugins:
 # load_plugins: [cloudtrail, json]
 load_plugins: []

+# Watch config file and rules files for modification.
+# When a file is modified, Falco will propagate new config,
+# by reloading itself.
+watch_config_files: true
+
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
 # time zone, as governed by /etc/localtime.
@@ -218,7 +228,6 @@ stdout_output:
 webserver:
  enabled: true
  listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
  k8s_healthz_endpoint: /healthz
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@@ -22,11 +22,10 @@ if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
  set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
  set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
-  set(FALCO_K8S_AUDIT_RULES_DEST_FILENAME "k8s_audit_rules.yaml")
-  set(FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME "aws_cloudtrail_rules.yaml")
 endif()

-if(DEFINED FALCO_COMPONENT)
+
+if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
  install(
    FILES falco_rules.yaml
    COMPONENT "${FALCO_COMPONENT}"
@@ -38,32 +37,24 @@ if(DEFINED FALCO_COMPONENT)
    COMPONENT "${FALCO_COMPONENT}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
-else()
+else() # Default Falco installation
  install(
    FILES falco_rules.yaml
    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")

  install(
    FILES falco_rules.local.yaml
    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-
-  install(
-    FILES k8s_audit_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_K8S_AUDIT_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")

  install(
    FILES application_rules.yaml
    DESTINATION "${FALCO_ETC_DIR}/rules.available"
-    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_APP_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")

-  install(
-    FILES aws_cloudtrail_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME}")
-
-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
+  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()
--- a/rules/aws_cloudtrail_rules.yaml
+++ b/rules/aws_cloudtrail_rules.yaml
@@ -1,442 +0,0 @@
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# All rules files related to plugins should require engine version 10
- required_engine_version: 10
-
-# These rules can be read by cloudtrail plugin version 0.1.0, or
-# anything semver-compatible.
- required_plugin_versions:
-  - name: cloudtrail
-    version: 0.2.3
-  - name: json
-    version: 0.2.2
-
-# Note that this rule is disabled by default. It's useful only to
-# verify that the cloudtrail plugin is sending events properly.  The
-# very broad condition evt.num > 0 only works because the rule source
-# is limited to aws_cloudtrail. This ensures that the only events that
-# are matched against the rule are from the cloudtrail plugin (or
-# a different plugin with the same source).
- rule: All Cloudtrail Events
-  desc: Match all cloudtrail events.
-  condition:
-    evt.num > 0
-  output: Some Cloudtrail Event (evtnum=%evt.num info=%evt.plugininfo ts=%evt.time.iso8601 id=%ct.id error=%ct.error)
-  priority: DEBUG
-  tags:
-  - cloud
-  - aws
-  source: aws_cloudtrail
-  enabled: false
-
- rule: Console Login Through Assume Role
-  desc: Detect a console login through Assume Role.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and ct.user.identitytype="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-  output:
-    Detected a console login through Assume Role
-    (principal=%ct.user.principalid,
-    assumedRole=%ct.user.arn,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region)
-  priority: WARNING
-  tags:
-  - cloud
-  - aws
-  - aws_console
-  - aws_iam
-  source: aws_cloudtrail
-
- rule: Console Login Without MFA
-  desc: Detect a console login without MFA.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and ct.user.identitytype!="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-    and json.value[/additionalEventData/MFAUsed]="No"
-  output:
-    Detected a console login without MFA
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_console
-    - aws_iam
-  source: aws_cloudtrail
-
- rule: Console Root Login Without MFA
-  desc: Detect root console login without MFA.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and json.value[/additionalEventData/MFAUsed]="No"
-    and ct.user.identitytype!="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-    and ct.user.identitytype="Root"
-  output:
-    Detected a root console login without MFA.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_console
-    - aws_iam
-  source: aws_cloudtrail
-
- rule: Deactivate MFA for Root User
-  desc: Detect deactivating MFA configuration for root.
-  condition:
-    ct.name="DeactivateMFADevice" and not ct.error exists
-    and ct.user.identitytype="Root"
-    and ct.request.username="AWS ROOT USER"
-  output:
-    Multi Factor Authentication configuration has been disabled for root
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     MFA serial number=%ct.request.serialnumber)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
- rule: Create AWS user
-  desc: Detect creation of a new AWS user.
-  condition:
-    ct.name="CreateUser" and not ct.error exists
-  output:
-    A new AWS user has been created
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     new user created=%ct.request.username)
-  priority: INFO
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
- rule: Create Group
-  desc: Detect creation of a new user group.
-  condition:
-    ct.name="CreateGroup" and not ct.error exists
-  output:
-    A new user group has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     group name=%ct.request.groupname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
- rule: Delete Group
-  desc: Detect deletion of a user group.
-  condition:
-    ct.name="DeleteGroup" and not ct.error exists
-  output:
-    A user group has been deleted.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     group name=%ct.request.groupname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
- rule: ECS Service Created
-  desc: Detect a new service is created in ECS.
-  condition:
-    ct.src="ecs.amazonaws.com" and
-    ct.name="CreateService" and
-    not ct.error exists
-  output:
-    A new service has been created in ECS
-    (requesting user=%ct.user,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region,
-    cluster=%ct.request.cluster,
-    service name=%ct.request.servicename,
-    task definition=%ct.request.taskdefinition)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ecs
-    - aws_fargate
-  source: aws_cloudtrail
-
- rule: ECS Task Run or Started
-  desc: Detect a new task is started in ECS.
-  condition:
-    ct.src="ecs.amazonaws.com" and
-    (ct.name="RunTask" or ct.name="StartTask") and
-    not ct.error exists
-  output:
-    A new task has been started in ECS
-    (requesting user=%ct.user,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region,
-    cluster=%ct.request.cluster,
-    task definition=%ct.request.taskdefinition)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ecs
-    - aws_fargate
-  source: aws_cloudtrail
-
- rule: Create Lambda Function
-  desc: Detect creation of a Lambda function.
-  condition:
-    ct.name="CreateFunction20150331" and not ct.error exists
-  output:
-    Lambda function has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
- rule: Update Lambda Function Code
-  desc: Detect updates to a Lambda function code.
-  condition:
-    ct.name="UpdateFunctionCode20150331v2" and not ct.error exists
-  output:
-    The code of a Lambda function has been updated.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
- rule: Update Lambda Function Configuration
-  desc: Detect updates to a Lambda function configuration.
-  condition:
-    ct.name="UpdateFunctionConfiguration20150331v2" and not ct.error exists
-  output:
-    The configuration of a Lambda function has been updated.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
- rule: Run Instances
-  desc: Detect launching of a specified number of instances.
-  condition:
-    ct.name="RunInstances" and not ct.error exists
-  output:
-    A number of instances have been launched.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     availability zone=%ct.request.availabilityzone,
-     subnet id=%ct.response.subnetid,
-     reservation id=%ct.response.reservationid)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ec2
-  source: aws_cloudtrail
-
-# Only instances launched on regions in this list are approved.
- list: approved_regions
-  items:
-    - us-east-0
-
- rule: Run Instances in Non-approved Region
-  desc: Detect launching of a specified number of instances in a non-approved region.
-  condition:
-    ct.name="RunInstances" and not ct.error exists and
-    not ct.region in (approved_regions)
-  output:
-    A number of instances have been launched in a non-approved region.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     availability zone=%ct.request.availabilityzone,
-     subnet id=%ct.response.subnetid,
-     reservation id=%ct.response.reservationid,
-     image id=%json.value[/responseElements/instancesSet/items/0/instanceId])
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ec2
-  source: aws_cloudtrail
-
- rule: Delete Bucket Encryption
-  desc: Detect deleting configuration to use encryption for bucket storage.
-  condition:
-    ct.name="DeleteBucketEncryption" and not ct.error exists
-  output:
-    A encryption configuration for a bucket has been deleted
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket=%s3.bucket)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
- rule: Delete Bucket Public Access Block
-  desc: Detect deleting blocking public access to bucket.
-  condition:
-    ct.name="PutBucketPublicAccessBlock" and not ct.error exists and
-    json.value[/requestParameters/publicAccessBlock]="" and
-      (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false)
-  output:
-    A public access block for a bucket has been deleted
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket=%s3.bucket)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
- rule: List Buckets
-  desc: Detect listing of all S3 buckets.
-  condition:
-    ct.name="ListBuckets" and not ct.error exists
-  output:
-    A list of all S3 buckets has been requested.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     host=%ct.request.host)
-  priority: WARNING
-  enabled: false
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
- rule: Put Bucket ACL
-  desc: Detect setting the permissions on an existing bucket using access control lists.
-  condition:
-    ct.name="PutBucketAcl" and not ct.error exists
-  output:
-    The permissions on an existing bucket have been set using access control lists.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket name=%s3.bucket)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
- rule: Put Bucket Policy
-  desc: Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
-  condition:
-    ct.name="PutBucketPolicy" and not ct.error exists
-  output:
-    An Amazon S3 bucket policy has been applied to an Amazon S3 bucket.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket name=%s3.bucket,
-     policy=%ct.request.policy)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
- rule: CloudTrail Trail Created
-  desc: Detect creation of a new trail.
-  condition:
-    ct.name="CreateTrail" and not ct.error exists
-  output:
-    A new trail has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     trail name=%ct.request.name)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_cloudtrail
-  source: aws_cloudtrail
-
- rule: CloudTrail Logging Disabled
-  desc: The CloudTrail logging has been disabled, this could be potentially malicious.
-  condition:
-    ct.name="StopLogging" and not ct.error exists
-  output:
-    The CloudTrail logging has been disabled.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     resource name=%ct.request.name)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_cloudtrail
-  source: aws_cloudtrail
-
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1815,7 +1815,7 @@
          registry.access.redhat.com/sematext/agent,
          registry.access.redhat.com/sematext/logagent]

-# These container images are allowed to run with --privileged
+# These container images are allowed to run with --privileged and full set of capabilities
 - list: falco_privileged_images
  items: [
    docker.io/calico/node,
@@ -1903,6 +1903,31 @@
  priority: INFO
  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]

+# These capabilities were used in the past to escape from containers
+- macro: excessively_capable_container
+  condition: >
+    (thread.cap_permitted contains CAP_SYS_ADMIN
+    or thread.cap_permitted contains CAP_SYS_MODULE
+    or thread.cap_permitted contains CAP_SYS_RAWIO
+    or thread.cap_permitted contains CAP_SYS_PTRACE
+    or thread.cap_permitted contains CAP_SYS_BOOT
+    or thread.cap_permitted contains CAP_SYSLOG
+    or thread.cap_permitted contains CAP_DAC_READ_SEARCH
+    or thread.cap_permitted contains CAP_NET_ADMIN
+    or thread.cap_permitted contains CAP_BPF)
+
+- rule: Launch Excessively Capable Container
+  desc: Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images.
+  condition: >
+    container_started and container
+    and excessively_capable_container
+    and not falco_privileged_containers
+    and not user_privileged_containers
+  output: Excessively capable container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag cap_permitted=%thread.cap_permitted)
+  priority: INFO
+  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
+
+
 # For now, only considering a full mount of /etc as
 # sensitive. Ideally, this would also consider all subdirectories
 # below /etc as well, but the globbing mechanism
@@ -2039,7 +2064,8 @@
    '"sh -c  -t -i"',
    '"sh -c openssl version"',
    '"bash -c id -Gn kafadmin"',
-    '"sh -c /bin/sh -c ''date +%%s''"'
+    '"sh -c /bin/sh -c ''date +%%s''"',
+    '"sh -c /usr/share/lighttpd/create-mime.conf.pl"'
    ]

 # This list allows for easy additions to the set of commands allowed
@@ -2569,26 +2595,28 @@
    WARNING
  tags: [process, mitre_persistence]

+# here `ash_history` will match both `bash_history` and `ash_history`
 - macro: modify_shell_history
  condition: >
    (modify and (
-      evt.arg.name contains "bash_history" or
+      evt.arg.name endswith "ash_history" or
      evt.arg.name endswith "zsh_history" or
      evt.arg.name contains "fish_read_history" or
      evt.arg.name endswith "fish_history" or
-      evt.arg.oldpath contains "bash_history" or
+      evt.arg.oldpath endswith "ash_history" or
      evt.arg.oldpath endswith "zsh_history" or
      evt.arg.oldpath contains "fish_read_history" or
      evt.arg.oldpath endswith "fish_history" or
-      evt.arg.path contains "bash_history" or
+      evt.arg.path endswith "ash_history" or
      evt.arg.path endswith "zsh_history" or
      evt.arg.path contains "fish_read_history" or
      evt.arg.path endswith "fish_history"))

+# here `ash_history` will match both `bash_history` and `ash_history`
 - macro: truncate_shell_history
  condition: >
    (open_write and (
-      fd.name contains "bash_history" or
+      fd.name endswith "ash_history" or
      fd.name endswith "zsh_history" or
      fd.name contains "fish_read_history" or
      fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
@@ -2811,7 +2839,7 @@
  condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))

 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg, connect) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))

 - macro: trusted_images_query_miner_domain_dns
  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco))
@@ -3140,6 +3168,16 @@
  priority: CRITICAL
  tags: [process, mitre_privilege_escalation]

+
+- rule: Detect release_agent File Container Escapes
+  desc: "This rule detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container"
+  condition:
+    open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
+  output:
+    "Detect an attempt to exploit a container escape using release_agent file (user=%user.name user_loginuid=%user.loginuid filename=%fd.name %container.info image=%container.image.repository:%container.image.tag cap_effective=%thread.cap_effective)"
+  priority: CRITICAL
+  tags: [container, mitre_privilege_escalation, mitre_lateral_movement]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -1,704 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
- required_engine_version: 2
-
-# Like always_true/always_false, but works with k8s audit events
- macro: k8s_audit_always_true
-  condition: (jevt.rawtime exists)
-
- macro: k8s_audit_never_true
-  condition: (jevt.rawtime=0)
-
-# Generally only consider audit events once the response has completed
- list: k8s_audit_stages
-  items: ["ResponseComplete"]
-
-# Generally exclude users starting with "system:"
- macro: non_system_user
-  condition: (not ka.user.name startswith "system:")
-
-# This macro selects the set of Audit Events used by the below rules.
- macro: kevt
-  condition: (jevt.value[/stage] in (k8s_audit_stages))
-
- macro: kevt_started
-  condition: (jevt.value[/stage]=ResponseStarted)
-
-# If you wish to restrict activity to a specific set of users, override/append to this list.
-# users created by kops are included
- list: vertical_pod_autoscaler_users
-  items: ["vpa-recommender", "vpa-updater"]
-
- list: allowed_k8s_users
-  items: [
-    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
-    "kubernetes-admin",
-    vertical_pod_autoscaler_users,
-    cluster-autoscaler,
-    "system:addon-manager",
-    "cloud-controller-manager",
-    "system:kube-controller-manager"
-    ]
-
- list: eks_allowed_k8s_users
-  items: [
-    "eks:node-manager",
-    "eks:certificate-controller",
-    "eks:fargate-scheduler",
-    "eks:k8s-metrics",
-    "eks:authenticator",
-    "eks:cluster-event-watcher",
-    "eks:nodewatcher",
-    "eks:pod-identity-mutating-webhook"
-    ]
-
- rule: Disallowed K8s User
-  desc: Detect any k8s operation by users outside of an allowed set of users.
-  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
-  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# In a local/user rules file, you could override this macro to
-# explicitly enumerate the container images that you want to run in
-# your environment. In this main falco rules file, there isn't any way
-# to know all the containers that can run, so any container is
-# allowed, by using the always_true macro. In the overridden macro, the condition
-# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
- macro: allowed_k8s_containers
-  condition: (k8s_audit_always_true)
-
- macro: response_successful
-  condition: (ka.response.code startswith 2)
-
- macro: kcreate
-  condition: ka.verb=create
-
- macro: kmodify
-  condition: (ka.verb in (create,update,patch))
-
- macro: kdelete
-  condition: ka.verb=delete
-
- macro: pod
-  condition: ka.target.resource=pods and not ka.target.subresource exists
-
- macro: pod_subresource
-  condition: ka.target.resource=pods and ka.target.subresource exists
-
- macro: deployment
-  condition: ka.target.resource=deployments
-
- macro: service
-  condition: ka.target.resource=services
-
- macro: configmap
-  condition: ka.target.resource=configmaps
-
- macro: namespace
-  condition: ka.target.resource=namespaces
-
- macro: serviceaccount
-  condition: ka.target.resource=serviceaccounts
-
- macro: clusterrole
-  condition: ka.target.resource=clusterroles
-
- macro: clusterrolebinding
-  condition: ka.target.resource=clusterrolebindings
-
- macro: role
-  condition: ka.target.resource=roles
-
- macro: secret
-  condition: ka.target.resource=secrets
-
- macro: health_endpoint
-  condition: ka.uri=/healthz
-
- rule: Create Disallowed Pod
-  desc: >
-    Detect an attempt to start a pod with a container image outside of a list of allowed images.
-  condition: kevt and pod and kcreate and not allowed_k8s_containers
-  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- rule: Create Privileged Pod
-  desc: >
-    Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
-  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- macro: sensitive_vol_mount
-  condition: >
-    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))
-
- rule: Create Sensitive Mount Pod
-  desc: >
-    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
-    Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
-  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# These container images are allowed to run with hostnetwork=true
- list: falco_hostnetwork_images
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/typha,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/gke-metadata-server,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/ip-masq-agent-amd64
-    k8s.gcr.io/prometheus-to-sd,
-    ]
-
-# Corresponds to K8s CIS Benchmark 1.7.4
- rule: Create HostNetwork Pod
-  desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
-  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- list: falco_hostpid_images
-  items: []
-
- rule: Create HostPid Pod
-  desc: Detect an attempt to start a pod using the host pid namespace.
-  condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images)
-  output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- list: falco_hostipc_images
-  items: []
-
- rule: Create HostIPC Pod
-  desc: Detect an attempt to start a pod using the host ipc namespace.
-  condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images)
-  output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- macro: user_known_node_port_service
-  condition: (k8s_audit_never_true)
-
- rule: Create NodePort Service
-  desc: >
-    Detect an attempt to start a service with a NodePort service type
-  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
-  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- macro: contains_private_credentials
-  condition: >
-    (ka.req.configmap.obj contains "aws_access_key_id" or
-     ka.req.configmap.obj contains "aws-access-key-id" or
-     ka.req.configmap.obj contains "aws_s3_access_key_id" or
-     ka.req.configmap.obj contains "aws-s3-access-key-id" or
-     ka.req.configmap.obj contains "password" or
-     ka.req.configmap.obj contains "passphrase")
-
- rule: Create/Modify Configmap With Private Credentials
-  desc: >
-     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
-  condition: kevt and configmap and kmodify and contains_private_credentials
-  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Corresponds to K8s CIS Benchmark, 1.1.1.
- rule: Anonymous Request Allowed
-  desc: >
-    Detect any request made by the anonymous user that was allowed
-  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
-  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case,
-# notifies an attempt to exec/attach to a privileged container.
-
-# Ideally, we'd add a more stringent rule that detects attaches/execs
-# to a privileged pod, but that requires the engine for k8s audit
-# events to be stateful, so it could know if a container named in an
-# attach request was created privileged or not. For now, we have a
-# less severe rule that detects attaches/execs to any pod.
-#
-# For the same reason, you can't use things like image names/prefixes,
-# as the event that creates the pod (which has the images) is a
-# separate event than the actual exec/attach to the pod.
-
- macro: user_known_exec_pod_activities
-  condition: (k8s_audit_never_true)
-
- rule: Attach/Exec Pod
-  desc: >
-    Detect any attempt to attach/exec to a pod
-  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
-  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
- macro: user_known_pod_debug_activities
-  condition: (k8s_audit_never_true)
-
-# Only works when feature gate EphemeralContainers is enabled
- rule: EphemeralContainers Created
-  desc: >
-    Detect any ephemeral container created
-  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
-  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
-# In a local/user rules fie, you can append to this list to add additional allowed namespaces
- list: allowed_namespaces
-  items: [kube-system, kube-public, default]
-
- rule: Create Disallowed Namespace
-  desc: Detect any attempt to create a namespace outside of a set of known namespaces
-  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
-  output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Only defined for backwards compatibility. Use the more specific
-# user_allowed_kube_namespace_image_list instead.
- list: user_trusted_image_list
-  items: []
-
- list: user_allowed_kube_namespace_image_list
-  items: [user_trusted_image_list]
-
-# Only defined for backwards compatibility. Use the more specific
-# allowed_kube_namespace_image_list instead.
- list: k8s_image_list
-  items: []
-
- list: allowed_kube_namespace_image_list
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/addon-resizer,
-    gke.gcr.io/heapster,
-    gke.gcr.io/gke-metadata-server,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/kube-apiserver,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    gke.gcr.io/watcher-daemonset,
-    k8s.gcr.io/addon-resizer
-    k8s.gcr.io/prometheus-to-sd,
-    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
-    k8s.gcr.io/k8s-dns-kube-dns-amd64,
-    k8s.gcr.io/k8s-dns-sidecar-amd64,
-    k8s.gcr.io/metrics-server-amd64,
-    kope/kube-apiserver-healthcheck,
-    k8s_image_list
-    ]
-
- macro: allowed_kube_namespace_pods
-  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
-              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
-
-# Detect any new pod created in the kube-system namespace
- rule: Pod Created in Kube Namespace
-  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
-  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- list: user_known_sa_list
-  items: []
-
- list: known_sa_list
-  items: [
-    coredns,
-    coredns-autoscaler,
-    cronjob-controller,
-    daemon-set-controller,
-    deployment-controller,
-    disruption-controller,
-    endpoint-controller,
-    endpointslice-controller,
-    endpointslicemirroring-controller,
-    generic-garbage-collector,
-    horizontal-pod-autoscaler,
-    job-controller,
-    namespace-controller,
-    node-controller,
-    persistent-volume-binder,
-    pod-garbage-collector,
-    pv-protection-controller,
-    pvc-protection-controller,
-    replicaset-controller,
-    resourcequota-controller,
-    root-ca-cert-publisher,
-    service-account-controller,
-    statefulset-controller
-    ]
-
- macro: trusted_sa
-  condition: (ka.target.name in (known_sa_list, user_known_sa_list))
-
-# Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace
-  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
-  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Detect any modify/delete to any ClusterRole starting with
-# "system:". "system:coredns" is excluded as changes are expected in
-# normal operation.
- rule: System ClusterRole Modified/Deleted
-  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
-             not ka.target.name in (system:coredns, system:managed-certificate-controller)
-  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-# (expand this to any built-in cluster role that does "sensitive" things)
- rule: Attach to cluster-admin Role
-  desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-  condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
-  output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- rule: ClusterRole With Wildcard Created
-  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
-  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
-  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- macro: writable_verbs
-  condition: >
-    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
-
- rule: ClusterRole With Write Privileges Created
-  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
-  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
-  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
- rule: ClusterRole With Pod Exec Created
-  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
-  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
-  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# The rules below this point are less discriminatory and generally
-# represent a stream of activity for a cluster. If you wish to disable
-# these events, modify the following macro.
- macro: consider_activity_events
-  condition: (k8s_audit_always_true)
-
- macro: kactivity
-  condition: (kevt and consider_activity_events)
-
- rule: K8s Deployment Created
-  desc: Detect any attempt to create a deployment
-  condition: (kactivity and kcreate and deployment and response_successful)
-  output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Deployment Deleted
-  desc: Detect any attempt to delete a deployment
-  condition: (kactivity and kdelete and deployment and response_successful)
-  output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Service Created
-  desc: Detect any attempt to create a service
-  condition: (kactivity and kcreate and service and response_successful)
-  output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Service Deleted
-  desc: Detect any attempt to delete a service
-  condition: (kactivity and kdelete and service and response_successful)
-  output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s ConfigMap Created
-  desc: Detect any attempt to create a configmap
-  condition: (kactivity and kcreate and configmap and response_successful)
-  output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s ConfigMap Deleted
-  desc: Detect any attempt to delete a configmap
-  condition: (kactivity and kdelete and configmap and response_successful)
-  output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Namespace Created
-  desc: Detect any attempt to create a namespace
-  condition: (kactivity and kcreate and namespace and response_successful)
-  output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Namespace Deleted
-  desc: Detect any attempt to delete a namespace
-  condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
-  output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Serviceaccount Created
-  desc: Detect any attempt to create a service account
-  condition: (kactivity and kcreate and serviceaccount and response_successful)
-  output: K8s Serviceaccount Created (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Serviceaccount Deleted
-  desc: Detect any attempt to delete a service account
-  condition: (kactivity and kdelete and serviceaccount and response_successful)
-  output: K8s Serviceaccount Deleted (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Role/Clusterrole Created
-  desc: Detect any attempt to create a cluster role/role
-  condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
-  output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Role/Clusterrole Deleted
-  desc: Detect any attempt to delete a cluster role/role
-  condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
-  output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Role/Clusterrolebinding Created
-  desc: Detect any attempt to create a clusterrolebinding
-  condition: (kactivity and kcreate and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Role/Clusterrolebinding Deleted
-  desc: Detect any attempt to delete a clusterrolebinding
-  condition: (kactivity and kdelete and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Secret Created
-  desc: Detect any attempt to create a secret. Service account tokens are excluded.
-  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
- rule: K8s Secret Deleted
-  desc: Detect any attempt to delete a secret Service account tokens are excluded.
-  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-# This rule generally matches all events, and as a result is disabled
-# by default. If you wish to enable these events, modify the
-# following macro.
-#  condition: (jevt.rawtime exists)
- macro: consider_all_events
-  condition: (k8s_audit_never_true)
-
- macro: kall
-  condition: (kevt and consider_all_events)
-
- rule: All K8s Audit Events
-  desc: Match all K8s Audit Events
-  condition: kall
-  output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
-  priority: DEBUG
-  source: k8s_audit
-  tags: [k8s]
-
-
-# This macro disables following rule, change to k8s_audit_never_true to enable it
- macro: allowed_full_admin_users
-  condition: (k8s_audit_always_true)
-
-# This list includes some of the default user names for an administrator in several K8s installations
- list: full_admin_k8s_users
-  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
-
-# This rules detect an operation triggered by an user name that is
-# included in the list of those that are default administrators upon
-# cluster creation. This may signify a permission setting too broader.
-# As we can't check for role of the user on a general ka.* event, this
-# may or may not be an administrator. Customize the full_admin_k8s_users
-# list to your needs, and activate at your discretion.
-
-# # How to test:
-# # Execute any kubectl command connected using default cluster user, as:
-# kubectl create namespace rule-test
-
- rule: Full K8s Administrative Access
-  desc: Detect any k8s operation by a user name that may be an administrator with full access.
-  condition: >
-    kevt
-    and non_system_user
-    and ka.user.name in (full_admin_k8s_users)
-    and not allowed_full_admin_users
-  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
- macro: ingress
-  condition: ka.target.resource=ingresses
-
- macro: ingress_tls
-  condition: (jevt.value[/requestObject/spec/tls] exists)
-
-# # How to test:
-# # Create an ingress.yaml file with content:
-# apiVersion: networking.k8s.io/v1beta1
-# kind: Ingress
-# metadata:
-#   name: test-ingress
-#   annotations:
-#     nginx.ingress.kubernetes.io/rewrite-target: /
-# spec:
-#   rules:
-#   - http:
-#       paths:
-#       - path: /testpath
-#         backend:
-#           serviceName: test
-#           servicePort: 80
-# # Execute: kubectl apply -f ingress.yaml
-
- rule: Ingress Object without TLS Certificate Created
-  desc: Detect any attempt to create an ingress without TLS certification.
-  condition: >
-    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
-  output: >
-    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
-    namespace=%ka.target.namespace)
-  source: k8s_audit
-  priority: WARNING
-  tags: [k8s, network]
-
- macro: node
-  condition: ka.target.resource=nodes
-
- macro: allow_all_k8s_nodes
-  condition: (k8s_audit_always_true)
-
- list: allowed_k8s_nodes
-  items: []
-
-# # How to test:
-# # Create a Falco monitored cluster with Kops
-# # Increase the number of minimum nodes with:
-# kops edit ig nodes
-# kops apply --yes
-
- rule: Untrusted Node Successfully Joined the Cluster
-  desc: >
-    Detect a node successfully joined the cluster outside of the list of allowed nodes.
-  condition: >
-    kevt and node
-    and kcreate
-    and response_successful
-    and not allow_all_k8s_nodes
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
-  priority: ERROR
-  source: k8s_audit
-  tags: [k8s]
-
- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
-  desc: >
-    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
-  condition: >
-    kevt and node
-    and kcreate
-    and not response_successful
-    and not allow_all_k8s_nodes
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
--- a/rules/okta_rules.yaml
+++ b/rules/okta_rules.yaml
@@ -1,177 +0,0 @@
-#Example Rule on login in to OKTA. Disabled by default since it might be noisy
-#- rule: User logged in to OKTA
-#  desc: Detect the user login in to OKTA
-#  condition: okta.evt.type = "user.session.start" 
-#  output: "A user has logged in toOKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-#       priority: NOTICE
-#  source: okta
-#  tags: [okta]
-
- rule: User Changing password in to OKTA
-  desc: Detect a user change password in OKTA
-  condition: okta.evt.type = "user.account.update_password"
-  output: "A user has changed password from OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: Creating a new OKTA user account
-  desc: Detect a new OKTA user account created in the OKTA environment
-  condition: okta.evt.type = "user.lifecycle.create"
-  output: "A new OKTA user account created (user=%okta.actor.name, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: User accessing app via single sign on OKTA
-  desc: Detect a user accessing an app via OKTA
-  condition: okta.evt.type = "user.authentication.sso"
-  output: "A user has accessed an app using OKTA (user=%okta.actor.name, app=%okta.app)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: User has been locked out in OKTA
-  desc: Detect a user who has been locked out in OKTA
-  condition: okta.evt.type = "user.account.lock"
-  output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: User has been moved from suspended status in OKTA.
-  desc: Detect a user who has been moved from suspended status in OKTA
-  condition: okta.evt.type = "user.lifecycle.unsuspend"
-  output: "A user has been moved from suspended status in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: User has been activated in OKTA
-  desc: Detect a user who has been activated in OKTA
-  condition: okta.evt.type = "user.lifecycle.activate"
-  output: "A user has been activated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: User has been deactivated in OKTA
-  desc: Detect a user who has been deactivated in OKTA
-  condition: okta.evt.type = "user.lifecycle.deactivate"
-  output: "A user has been deactivated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: User has been suspended in OKTA
-  desc: Detect a user who has been suspended in OKTA
-  condition: okta.evt.type = "user.lifecycle.suspended"
-  output: "A user has been suspended in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: Admin permission has been assigned to a user in OKTA
-  desc: Detect an admin permission assigned to a user in OKTA
-  condition: okta.evt.type = "user.account.privilege.grant"
-  output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: Creating a new OKTA API token
-  desc: Detect a new OKTA API token created in the OKTA environment
-  condition: okta.evt.type = "system.api_token.create"
-  output: "A new OKTA API token has been created in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: User accessing OKTA admin section
-  desc: Detect a user accessing OKTA admin section of your OKTA instance
-  condition: okta.evt.type = "user.session.access_admin_app"
-  output: "A user accessed the OKTA admin section of your OKTA instance (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: Adding user in OKTA group
-  desc: Detect a new user added to an OKTA group
-  condition: okta.evt.type = "group.user_membership.add"
-  output: "A user has been added in an OKTA group (user=%okta.actor.name, target group=%okta.target.group.name, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: removing MFA factor from user in OKTA
-  desc: Detect a removing MFA activity on a user in OKTA
-  condition: okta.evt.type = "user.mfa.factor.deactivate"
-  output: "A user has removed MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: removing all MFA factor from user in OKTA
-  desc: Detect a removing MFA activity on a user in OKTA
-  condition: okta.evt.type = "user.mfa.factor.reset_all"
-  output: "A user has removed all MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: User password reset by OKTA admin
-  desc: Detect a password reset on a user done by OKTA Admin Account
-  condition: okta.evt.type = "user.account.reset_password"
-  output: "A user password has been reset by an OKTA Admin account (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: User hitting the rate limit on requests in OKTA
-  desc: Detect a user who hit the rate limit on requests in OKTA
-  condition: okta.evt.type = "system.org.rate_limit.violation"
-  output: "A user has hitted the rate limit on requests in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
- rule: Adding user to application membership in OKTA
-  desc: Detect a user who has been added o application membership in OKTA
-  condition: okta.evt.type = "application.user_membership.add"
-  output: "A user has been added to an application membership in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name, app=%okta.app)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
- rule: User initiating impersonation session in OKTA
-  desc: Detect a user who initiate an impersonation session in OKTA
-  condition: okta.evt.type = "user.session.impersonation.initiate"
-  output: "A user has initiated an impersonation session in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-# This list allows easily whitelisting countries that are
-# expected to see OKTA logins from.
- list: allowed_countries_list
-  items: []
-
- macro: user_known_countries
-  condition: (okta.client.geo.country in (allowed_countries_list))
-
- rule: Detecting unknown logins using geolocation
-  desc: Detect a logins event based on user geolocation
-  condition: okta.evt.type = "user.session.start" and not user_known_countries
-  output: "A user logged in OKTA from a suspicious country (user=%okta.actor.name, ip=%okta.client.ip, country=%okta.client.geo.country)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -33,5 +33,5 @@ configure_file(falco-driver-loader falco-driver-loader @ONLY)

 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
-		DESTINATION ${FALCO_BIN_DIR})
+		DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/scripts/debian/postrm.in
+++ b/scripts/debian/postrm.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/scripts/debian/prerm.in
+++ b/scripts/debian/prerm.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,13 +17,8 @@
 #
 set -e

-DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@DRIVER_VERSION@"
-
 case "$1" in
 	remove|upgrade|deconfigure)
-		if [  "$(dkms status -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION)" ]; then
-			dkms remove -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION --all
-		fi
+		/usr/bin/falco-driver-loader --clean
 	;;
 esac
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -219,43 +219,96 @@ load_kernel_module_download() {
 	fi
 }

-load_kernel_module() {
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod"
-		exit 1
-	fi
+print_clean_termination() {
+	echo
+	echo "[SUCCESS] Cleaning phase correctly terminated."
+	echo 
+	echo "================ Cleaning phase ================"
+	echo 
+}

-	if ! hash modprobe > /dev/null 2>&1; then
-		>&2 echo "This program requires modprobe"
+clean_kernel_module() {
+	echo 
+	echo "================ Cleaning phase ================"
+	echo 
+
+	if ! hash lsmod > /dev/null 2>&1; then
+		>&2 echo "This program requires lsmod."
 		exit 1
 	fi

 	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod"
+		>&2 echo "This program requires rmmod."
 		exit 1
 	fi

-	echo "* Unloading ${DRIVER_NAME} module, if present"
-	rmmod "${DRIVER_NAME}" 2>/dev/null
-	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
-		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
-			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
-			break
-		fi
-		((++WAIT_TIME))
-		if (( WAIT_TIME % 5 == 0 )); then
-			echo "* ${DRIVER_NAME} module still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
-		fi
-		sleep 1
-	done
+	echo "* 1. Check if kernel module '${KMOD_NAME}' is still loaded:"

-	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
-		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
-		exit 0
+	if ! lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
+		echo "- OK! There is no '${KMOD_NAME}' module loaded."
+		echo
 	fi

+	# Wait 50s = MAX_RMMOD_WAIT * 5s
+	MAX_RMMOD_WAIT=10
+	# Remove kernel module if is still loaded.
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $MAX_RMMOD_WAIT -gt 0 ]; do
+		echo "- Kernel module '${KMOD_NAME}' is still loaded."
+		echo "- Trying to unload it with 'rmmod ${KMOD_NAME}'..."
+		if rmmod ${KMOD_NAME}; then
+			echo "- OK! Unloading '${KMOD_NAME}' module succeeded."
+			echo
+		else
+			echo "- Nothing to do...'falco-driver-loader' will wait until you remove the kernel module to have a clean termination."
+			echo "- Check that no process is using the kernel module with 'lsmod | grep ${KMOD_NAME}'."
+			echo "- Sleep 5 seconds..."
+			echo
+			((--MAX_RMMOD_WAIT))
+			sleep 5
+		fi
+	done
+
+	if [ ${MAX_RMMOD_WAIT} -eq 0 ]; then
+		echo "[WARNING] '${KMOD_NAME}' module is still loaded, you could have incompatibility issues."
+		echo
+	fi
+	
+	if ! hash dkms >/dev/null 2>&1; then
+		echo "- Skipping dkms remove (dkms not found)."
+		print_clean_termination
+		return
+	fi
+
+	# Remove all versions of this module from dkms.
+	echo "* 2. Check all versions of kernel module '${KMOD_NAME}' in dkms:"
+	DRIVER_VERSIONS=$(dkms status -m "${KMOD_NAME}" | tr -d "," | tr -d ":" | tr "/" " " | cut -d' ' -f2)
+	if [ -z "${DRIVER_VERSIONS}" ]; then
+		echo "- OK! There are no '${KMOD_NAME}' module versions in dkms."
+	else
+		echo "- There are some versions of '${KMOD_NAME}' module in dkms."
+		echo
+		echo "* 3. Removing all the following versions from dkms:"
+		echo "${DRIVER_VERSIONS}"
+		echo
+	fi
+
+	for CURRENT_VER in ${DRIVER_VERSIONS}; do
+		echo "- Removing ${CURRENT_VER}..."
+		if dkms remove -m ${KMOD_NAME} -v "${CURRENT_VER}" --all; then
+			echo
+			echo "- OK! Removing '${CURRENT_VER}' succeeded."
+			echo
+		else
+			echo "[WARNING] Removing '${KMOD_NAME}' version '${CURRENT_VER}' failed."
+		fi
+	done
+
+	print_clean_termination
+}
+
+load_kernel_module() {
+	clean_kernel_module

 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"

@@ -290,48 +343,6 @@ load_kernel_module() {
 	exit 1
 }

-clean_kernel_module() {
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod"
-		exit 1
-	fi
-
-	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod"
-		exit 1
-	fi
-
-	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
-		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
-			echo "* Unloading ${DRIVER_NAME} module succeeded"
-		else
-			echo "* Unloading ${DRIVER_NAME} module failed"
-		fi
-	else
-		echo "* There is no ${DRIVER_NAME} module loaded"
-	fi
-
-	if ! hash dkms >/dev/null 2>&1; then
-		echo "* Skipping dkms remove (dkms not found)"
-		return
-	fi
-
-	DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f1 | sed -e 's/^[[:space:]]*//')
-	if [ -z "${DRIVER_VERSIONS}" ]; then
-		echo "* There is no ${DRIVER_NAME} module in dkms"
-		return
-	fi
-	for CURRENT_VER in ${DRIVER_VERSIONS}; do
-		if dkms remove "${CURRENT_VER}" --all 2>/dev/null; then
-			echo "* Removing ${CURRENT_VER} succeeded"
-		else
-			echo "* Removing ${CURRENT_VER} failed"
-			exit 1
-		fi
-	done
-}
-
 load_bpf_probe_compile() {
 	local BPF_KERNEL_SOURCES_URL=""
 	local STRIP_COMPONENTS=1
--- a/scripts/rpm/postinstall.in
+++ b/scripts/rpm/postinstall.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/scripts/rpm/postuninstall.in
+++ b/scripts/rpm/postuninstall.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/scripts/rpm/preuninstall.in
+++ b/scripts/rpm/preuninstall.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,5 +15,4 @@
 # limitations under the License.
 #

-mod_version="@DRIVER_VERSION@"
-dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade
+/usr/bin/falco-driver-loader --clean
--- a/test/README.md
+++ b/test/README.md
@@ -10,7 +10,6 @@ You can find instructions on how to run this test suite on the Falco website [he
 - [falco_traces](./falco_traces.yaml.in)
 - [falco_tests_package](./falco_tests_package.yaml)
 - [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
- [falco_tests_psp](./falco_tests_psp.yaml)

 ## Running locally

--- a/test/confs/plugins/k8s_audit.yaml
+++ b/test/confs/plugins/k8s_audit.yaml
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: k8saudit
+    library_path: BUILD_DIR/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so
+    init_config: ""
+    open_params: "" # to be filled out by each test case
+  - name: json
+    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
+    init_config: ""
+
+load_plugins: [k8saudit, json]
--- a/test/confs/psp.yaml
+++ b/test/confs/psp.yaml
@@ -1,171 +0,0 @@
-#
-# Copyright (C) 2016-2018 The Falco Authors.
-#
-# This file is part of falco .
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# File(s) or Directories containing Falco rules, loaded at startup.
-# The name "rules_file" is only for backwards compatibility.
-# If the entry is a file, it will be read directly. If the entry is a directory,
-# every file in that directory will be read, in alphabetical order.
-#
-# falco_rules.yaml ships with the falco package and is overridden with
-# every new software version. falco_rules.local.yaml is only created
-# if it doesn't exist. If you want to customize the set of rules, add
-# your customizations to falco_rules.local.yaml.
-#
-# The files will be read in the order presented here, so make sure if
-# you have overrides they appear in later files.
-rules_file: []
-
-# If true, the times displayed in log messages and output messages
-# will be in ISO 8601. By default, times are displayed in the local
-# time zone, as governed by /etc/localtime.
-time_format_iso_8601: false
-
-# Whether to output events in json or text
-json_output: false
-
-# When using json output, whether or not to include the "output" property
-# itself (e.g. "File below a known binary directory opened for writing
-# (user=root ....") in the json output.
-json_include_output_property: true
-
-# When using json output, whether or not to include the "tags" property
-# itself in the json output. If set to true, outputs caused by rules
-# with no tags will have a "tags" field set to an empty array. If set to
-# false, the "tags" field will not be included in the json output at all.
-json_include_tags_property: true
-
-# Send information logs to stderr and/or syslog Note these are *not* security
-# notification logs! These are just Falco lifecycle (and possibly error) logs.
-log_stderr: true
-log_syslog: true
-
-# Minimum log level to include in logs. Note: these levels are
-# separate from the priority field of rules. This refers only to the
-# log level of falco's internal logging. Can be one of "emergency",
-# "alert", "critical", "error", "warning", "notice", "info", "debug".
-log_level: info
-
-# Minimum rule priority level to load and run. All rules having a
-# priority more severe than this level will be loaded/run.  Can be one
-# of "emergency", "alert", "critical", "error", "warning", "notice",
-# "info", "debug".
-priority: debug
-
-# Whether or not output to any of the output channels below is
-# buffered. Defaults to false
-buffered_outputs: false
-
-# Falco uses a shared buffer between the kernel and userspace to pass
-# system call information. When falco detects that this buffer is
-# full and system calls have been dropped, it can take one or more of
-# the following actions:
-#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
-#   - "log": log a CRITICAL message noting that the buffer was full.
-#   - "alert": emit a falco alert noting that the buffer was full.
-#   - "exit": exit falco with a non-zero rc.
-#
-# The rate at which log/alert messages are emitted is governed by a
-# token bucket. The rate corresponds to one message every 30 seconds
-# with a burst of 10 messages.
-
-syscall_event_drops:
-  actions:
-    - log
-    - alert
-  rate: .03333
-  max_burst: 10
-
-# A throttling mechanism implemented as a token bucket limits the
-# rate of falco notifications. This throttling is controlled by the following configuration
-# options:
-#  - rate: the number of tokens (i.e. right to send a notification)
-#    gained per second. Defaults to 1.
-#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
-#
-# With these defaults, falco could send up to 1000 notifications after
-# an initial quiet period, and then up to 1 notification per second
-# afterward. It would gain the full burst back after 1000 seconds of
-# no activity.
-
-outputs:
-  rate: 1
-  max_burst: 1000
-
-# Where security notifications should go.
-# Multiple outputs can be enabled.
-
-syslog_output:
-  enabled: true
-
-# If keep_alive is set to true, the file will be opened once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the file will be re-opened
-# for each output message.
-#
-# Also, the file will be closed and reopened if falco is signaled with
-# SIGUSR1.
-
-file_output:
-  enabled: false
-  keep_alive: false
-  filename: ./events.txt
-
-stdout_output:
-  enabled: true
-
-# Falco contains an embedded webserver that can be used to accept K8s
-# Audit Events. These config options control the behavior of that
-# webserver. (By default, the webserver is disabled).
-#
-# The ssl_certificate is a combination SSL Certificate and corresponding
-# key contained in a single file. You can generate a key/cert as follows:
-#
-# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
-# $ cat certificate.pem key.pem > falco.pem
-# $ sudo cp falco.pem /etc/falco/falco.pem
-
-webserver:
-  enabled: true
-  listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
-  ssl_enabled: false
-  ssl_certificate: /etc/falco/falco.pem
-
-# Possible additional things you might want to do with program output:
-#   - send to a slack webhook:
-#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
-#   - logging (alternate method than syslog):
-#         program: logger -t falco-test
-#   - send over a network connection:
-#         program: nc host.example.com 80
-
-# If keep_alive is set to true, the program will be started once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the program will be re-spawned
-# for each output message.
-#
-# Also, the program will be closed and reopened if falco is signaled with
-# SIGUSR1.
-program_output:
-  enabled: false
-  keep_alive: false
-  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
-
-http_output:
-  enabled: false
-  url: http://some.url
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@@ -25,7 +25,8 @@ trace_files: !mux
      - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
    detect_counts:
      - Create Disallowed Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  compat_engine_v4_create_allowed_pod:
    detect: False
@@ -33,7 +34,8 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  compat_engine_v4_create_privileged_pod:
    detect: True
@@ -43,23 +45,26 @@ trace_files: !mux
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  compat_engine_v4_create_privileged_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  compat_engine_v4_create_unprivileged_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  compat_engine_v4_create_hostnetwork_pod:
    detect: True
@@ -69,535 +74,591 @@ trace_files: !mux
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
    detect_counts:
      - Create HostNetwork Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  compat_engine_v4_create_hostnetwork_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  user_outside_allowed_set:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
    detect_counts:
      - Disallowed K8s User: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  user_in_allowed_set:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
      - ./rules/k8s_audit/allow_user_some-user.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  create_disallowed_pod:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_only_apache_container.yaml
    detect_counts:
      - Create Disallowed Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_allowed_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_privileged_pod:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  create_privileged_no_secctx_1st_container_2nd_container_pod:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json

  create_privileged_2nd_container_pod:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json

  create_privileged_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  create_unprivileged_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_unprivileged_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_sensitive_mount_pod:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Sensitive Mount Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json

  create_sensitive_mount_2nd_container_pod:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Sensitive Mount Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json

  create_sensitive_mount_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json

  create_unsensitive_mount_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json

  create_unsensitive_mount_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json

  create_hostnetwork_pod:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create HostNetwork Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  create_hostnetwork_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  create_nohostnetwork_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json

  create_nohostnetwork_trusted_pod:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json

  create_nodeport_service:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    detect_counts:
      - Create NodePort Service: 1
-    trace_file: trace_files/k8s_audit/create_nginx_service_nodeport.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nodeport.json

  create_nonodeport_service:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_service_nonodeport.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nonodeport.json

  create_configmap_private_creds:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    detect_counts:
      - Create/Modify Configmap With Private Credentials: 6
-    trace_file: trace_files/k8s_audit/create_configmap_sensitive_values.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_sensitive_values.json

  create_configmap_no_private_creds:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/create_configmap_no_sensitive_values.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_no_sensitive_values.json

  anonymous_user:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Anonymous Request Allowed: 1
-    trace_file: trace_files/k8s_audit/anonymous_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/anonymous_creates_namespace_foo.json

  pod_exec:
    detect: True
    detect_level: NOTICE
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Attach/Exec Pod: 1
-    trace_file: trace_files/k8s_audit/exec_pod.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/exec_pod.json

  pod_attach:
    detect: True
    detect_level: NOTICE
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Attach/Exec Pod: 1
-    trace_file: trace_files/k8s_audit/attach_pod.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_pod.json

  namespace_outside_allowed_set:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_user_some-user.yaml
    detect_counts:
      - Create Disallowed Namespace: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  namespace_in_allowed_set:
    detect: False
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/minikube_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/minikube_creates_namespace_foo.json

  create_pod_in_kube_system_namespace:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Pod Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_pod_kube_system_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_system_namespace.json

  create_pod_in_kube_public_namespace:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Pod Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_pod_kube_public_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_public_namespace.json

  create_serviceaccount_in_kube_system_namespace:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Service Account Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json

  create_serviceaccount_in_kube_public_namespace:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Service Account Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json

  system_clusterrole_deleted:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - System ClusterRole Modified/Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json

  system_clusterrole_modified:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - System ClusterRole Modified/Deleted: 1
-    trace_file: trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json

  attach_cluster_admin_role:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Attach to cluster-admin Role: 1
-    trace_file: trace_files/k8s_audit/attach_cluster_admin_role.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_cluster_admin_role.json

  create_cluster_role_wildcard_resources:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Wildcard Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_resources.json

  create_cluster_role_wildcard_verbs:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Wildcard Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json

  create_writable_cluster_role:
    detect: True
    detect_level: NOTICE
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Write Privileges Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_write_privileges.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_write_privileges.json

  create_pod_exec_cluster_role:
    detect: True
    detect_level: WARNING
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Pod Exec Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_pod_exec.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_pod_exec.json

  create_deployment:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Deployment Created: 1
-    trace_file: trace_files/k8s_audit/create_deployment.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_deployment.json

  delete_deployment:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Deployment Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_deployment.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_deployment.json

  create_service:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Service Created: 1
-    trace_file: trace_files/k8s_audit/create_service.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service.json

  delete_service:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Service Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_service.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_service.json

  create_configmap:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s ConfigMap Created: 1
-    trace_file: trace_files/k8s_audit/create_configmap.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap.json

  delete_configmap:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s ConfigMap Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_configmap.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_configmap.json

  create_namespace:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
      - ./rules/k8s_audit/allow_user_some-user.yaml
    detect_counts:
      - K8s Namespace Created: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  delete_namespace:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Namespace Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_namespace_foo.json

  create_serviceaccount:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Serviceaccount Created: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount.json

  delete_serviceaccount:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Serviceaccount Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_serviceaccount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_serviceaccount.json

  create_clusterrole:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrole Created: 1
-    trace_file: trace_files/k8s_audit/create_clusterrole.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrole.json

  delete_clusterrole:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrole Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_clusterrole.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrole.json

  create_clusterrolebinding:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrolebinding Created: 1
-    trace_file: trace_files/k8s_audit/create_clusterrolebinding.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrolebinding.json

  delete_clusterrolebinding:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrolebinding Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrolebinding.json

  create_secret:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Secret Created: 1
-    trace_file: trace_files/k8s_audit/create_secret.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_secret.json

  # Should *not* result in any event as the secret rules skip service account token secrets
  create_service_account_token_secret:
@@ -605,35 +666,39 @@ trace_files: !mux
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json

  create_kube_system_secret:
    detect: False
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_kube_system_secret.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json

  delete_secret:
    detect: True
    detect_level: INFO
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Secret Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_secret.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_secret.json

  fal_01_003:
    detect: False
-    detect_level: INFO
+    exit_status: 1
    rules_file:
      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/fal_01_003.json
-    stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json
+    stderr_contains: 'data not recognized as a k8s audit event'

  json_pointer_correct_parse:
    detect: True
@@ -642,4 +707,5 @@ trace_files: !mux
      - ./rules/k8s_audit/single_rule_with_json_pointer.yaml
    detect_counts:
      - json_pointer_example: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -44,9 +44,6 @@ class FalcoTest(Test):

        self.falcodir = self.params.get('falcodir', '/', default=build_dir)

-        self.psp_conv_path = os.path.join(build_dir, "falcoctl")
-        self.psp_conv_url = "https://github.com/falcosecurity/falcoctl/releases/download/v0.0.4/falcoctl-0.0.4-linux-amd64"
-
        self.stdout_is = self.params.get('stdout_is', '*', default='')
        self.stderr_is = self.params.get('stderr_is', '*', default='')

@@ -111,15 +108,8 @@ class FalcoTest(Test):
            if not isinstance(self.validate_rules_file, list):
                self.validate_rules_file = [self.validate_rules_file]

-        self.psp_rules_file = os.path.join(build_dir, "psp_rules.yaml")
-
-        self.psp_file = self.params.get('psp_file', '*', default="")
-
        self.rules_args = ""

-        if self.psp_file != "":
-            self.rules_args = self.rules_args + "-r " + self.psp_rules_file + " "
-
        for file in self.validate_rules_file:
            if not os.path.isabs(file):
                file = os.path.join(self.basedir, file)
@@ -127,7 +117,7 @@ class FalcoTest(Test):

        for file in self.rules_file:
            if not os.path.isabs(file):
-                file = os.path.join(self.basedir, file)
+                file = os.path.join(self.basedir, file.replace("BUILD_DIR", build_dir))
            self.rules_args = self.rules_args + "-r " + file + " "

        self.conf_file = self.params.get(
@@ -593,32 +583,6 @@ class FalcoTest(Test):
        if self.trace_file:
            trace_arg = "-e {}".format(self.trace_file)

-        # Possibly run psp converter
-        if self.psp_file != "":
-
-            if not os.path.isfile(self.psp_conv_path):
-                self.log.info("Downloading {} to {}".format(
-                    self.psp_conv_url, self.psp_conv_path))
-
-                urllib.request.urlretrieve(
-                    self.psp_conv_url, self.psp_conv_path)
-                os.chmod(self.psp_conv_path, stat.S_IEXEC)
-
-            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
-                self.psp_conv_path, os.path.join(self.basedir, self.psp_file), self.psp_rules_file)
-
-            conv_proc = process.SubProcess(conv_cmd)
-
-            conv_res = conv_proc.run(timeout=180, sig=9)
-
-            if conv_res.exit_status != 0:
-                self.error("psp_conv command \"{}\" exited with unexpected return value {}. Full stdout={} stderr={}".format(
-                    conv_cmd, conv_res.exit_status, conv_res.stdout, conv_res.stderr))
-
-            with open(self.psp_rules_file, 'r') as myfile:
-                psp_rules = myfile.read()
-                self.log.debug("Converted Rules: {}".format(psp_rules))
-
        # Run falco
        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v {}'.format(
            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output,
--- a/test/falco_tests_plugins.yaml
+++ b/test/falco_tests_plugins.yaml
@@ -24,7 +24,7 @@ trace_files: !mux
      - rules/plugins/cloudtrail_create_instances.yaml
    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
    addl_cmdline_opts: --list-plugins
-    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Type: source plugin.*Name: json.*Type: extractor plugin"
+    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Name: json.*"

  list_plugin_fields:
    check_detection_counts: False
@@ -54,21 +54,21 @@ trace_files: !mux

  multiple_source_plugins:
    exit_status: 1
-    stderr_contains: "Runtime error: Can not load multiple source plugins. cloudtrail already loaded. Exiting."
+    stderr_contains: "Can not load multiple plugins with event sourcing capability: 'cloudtrail' already loaded."
    conf_file: BUILD_DIR/test/confs/plugins/multiple_source_plugins.yaml
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml

  incompatible_extract_sources:
    exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugin not compatible with event source aws_cloudtrail. Exiting."
+    stderr_contains: "Plugin '.*' has field extraction capability but is not compatible with any enabled event source"
    conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml

  overlap_extract_sources:
    exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugins have overlapping compatible event source test_source. Exiting."
+    stderr_contains: "Plugin '.*' supports extraction of field 'test.field' that is overlapping for source 'test_source'"
    conf_file: BUILD_DIR/test/confs/plugins/overlap_extract_sources.yaml
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml
@@ -82,7 +82,7 @@ trace_files: !mux

  incompat_plugin_rules_version:
    exit_status: 1
-    stderr_contains: "Runtime error: Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0. Exiting."
+    stderr_contains: "Plugin 'cloudtrail' version '.*' is not compatible with required plugin version '100000.0.0'"
    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
    rules_file:
      - rules/plugins/cloudtrail_incompat_plugin_version.yaml
--- a/test/falco_tests_psp.yaml
+++ b/test/falco_tests_psp.yaml
@@ -1,666 +0,0 @@
-#
-# Copyright (C) 2016-2018 The Falco Authors.
-#
-# This file is part of falco.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-trace_files: !mux
-
-  privileged_detect_k8s_audit:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/privileged.json
-
-  privileged_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/privileged.scap
-
-  privileged_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_pid_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_pid Violation (hostPID)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_pid.yaml
-    trace_file: trace_files/psp/host_pid.json
-
-  host_pid_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_pid.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_ipc_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_ipc Violation (hostIPC)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_ipc.yaml
-    trace_file: trace_files/psp/host_ipc.json
-
-  host_ipc_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_ipc.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_network_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_network Violation (hostNetwork)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network.yaml
-    trace_file: trace_files/psp/host_network.json
-
-  host_network_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_network_ports_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP host_ports_100_200_only Violation (hostPorts)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network_ports.yaml
-    trace_file: trace_files/psp/host_network_ports.json
-
-  host_network_ports_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network_ports.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  volumes_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_secret_volumes Violation (volumes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/volumes.yaml
-    trace_file: trace_files/psp/mount_etc_using_host_path.json
-
-  volumes_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/volumes.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_host_paths_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_mount_host_usr Violation (allowedHostPaths)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_host_paths.yaml
-    trace_file: trace_files/psp/mount_etc_using_host_path.json
-
-  allowed_host_paths_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_host_paths.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_flex_volumes_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_lvm_cifs_flex_volumes Violation (allowedFlexVolumes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/flex_volumes.yaml
-    trace_file: trace_files/psp/flex_volumes.json
-
-  allowed_flex_volumes_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/flex_volumes.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_must_run_as:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_must_run_as.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_may_run_as:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_may_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_may_run_as.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_may_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_run_as_any:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_run_as_any.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_run_as_any_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_run_as_any.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  read_only_root_fs_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  read_only_root_fs_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/write_tmp_test.scap
-
-  read_only_root_fs_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/read_only_root_fs.json
-
-  user_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  user_must_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_container.json
-
-  user_must_run_as_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_65534_container.scap
-
-  user_must_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_container.json
-
-  user_must_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
-
-  user_must_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_sec_ctx.json
-
-  user_must_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
-
-  user_must_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
-
-  user_must_run_as_non_root_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_container.json
-
-  user_must_run_as_non_root_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_container.scap
-
-  user_must_run_as_non_root_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_container.json
-
-  user_must_run_as_non_root_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_sec_ctx.json
-
-  user_must_run_as_non_root_no_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
-
-  user_must_run_as_non_root_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
-
-  user_must_run_as_non_root_no_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
-
-  group_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  group_must_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_container.json
-
-  group_must_run_as_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_65534_container.scap
-
-  group_must_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_container.json
-
-  group_must_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
-
-  group_must_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
-
-  group_must_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
-
-  group_must_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
-
-  group_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  group_may_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_container.json
-
-  group_may_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_container.json
-
-  group_may_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
-
-  group_may_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
-
-  group_may_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
-
-  group_may_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
-
-  supplemental_groups_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  supplemental_groups_must_run_as_no_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_partial_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30_10 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_overlap:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_overlap_multiple_ranges:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  supplemental_groups_may_run_as_no_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_may_run_as_30 Violation (supplementalGroups=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_partial_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_may_run_as_30_10 Violation (supplementalGroups=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_overlap:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_overlap_multiple_ranges:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  privilege_escalation_privilege_escalation_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privilege_escalation Violation (allowPrivilegeEscalation)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privilege_escalation.yaml
-    trace_file: trace_files/psp/privilege_escalation.json
-
-  allowed_capabilities_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP allow_capability_sys_nice Violation (allowedCapabilities)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/capability_add_sys_time.json
-
-  allowed_capabilities_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_capabilities_match:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/capability_add_sys_nice.json
-
-  allowed_proc_mount_types_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP allow_default_proc_mount_type Violation (allowedProcMountTypes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/proc_mount_type_unmasked.json
-
-  allowed_proc_mount_types_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_proc_mount_types_match:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/proc_mount_type_default.json
-
-  psp_name_with_dashes:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged_name_with_dashes.yaml
-    trace_file: trace_files/psp/privileged.scap
-
-  psp_name_with_spaces:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged_name_with_spaces.yaml
-    trace_file: trace_files/psp/privileged.scap
--- a/test/plugins/test_extract.cpp
+++ b/test/plugins/test_extract.cpp
@@ -20,14 +20,13 @@ limitations under the License.
 #include <plugin_info.h>

 static const char *pl_required_api_version = "1.0.0";
-static uint32_t    pl_type                 = TYPE_EXTRACTOR_PLUGIN;
 static const char *pl_name_base            = "test_extract";
 static char pl_name[1024];
 static const char *pl_desc                 = "Test Plugin For Regression Tests";
 static const char *pl_contact              = "github.com/falcosecurity/falco";
 static const char *pl_version              = "0.1.0";
 static const char *pl_extract_sources      = "[\"test_source\"]";
-static const char *pl_fields               = "[]";
+static const char *pl_fields               = "[{\"type\": \"uint64\", \"name\": \"test.field\", \"desc\": \"Describing test field\"}]";

 // This struct represents the state of a plugin. Just has a placeholder string value.
 typedef struct plugin_state
@@ -40,18 +39,12 @@ const char* plugin_get_required_api_version()
 	return pl_required_api_version;
 }

-extern "C"
-uint32_t plugin_get_type()
-{
-	return pl_type;
-}
-
 extern "C"
 const char* plugin_get_name()
 {
 	// Add a random-ish suffix to the end, as some tests load
 	// multiple copies of this plugin
-	snprintf(pl_name, sizeof(pl_name)-1, "%s%ld\n", pl_name_base, random());
+	snprintf(pl_name, sizeof(pl_name)-1, "%s%ld", pl_name_base, random());
 	return pl_name;
 }

--- a/test/plugins/test_source.cpp
+++ b/test/plugins/test_source.cpp
@@ -21,7 +21,6 @@ limitations under the License.
 #include <plugin_info.h>

 static const char *pl_required_api_version = "1.0.0";
-static uint32_t    pl_type                 = TYPE_SOURCE_PLUGIN;
 static uint32_t    pl_id                   = 999;
 static const char *pl_name                 = "test_source";
 static const char *pl_desc                 = "Test Plugin For Regression Tests";
@@ -45,12 +44,6 @@ const char* plugin_get_required_api_version()
 	return pl_required_api_version;
 }

-extern "C"
-uint32_t plugin_get_type()
-{
-	return pl_type;
-}
-
 extern "C"
 uint32_t plugin_get_id()
 {
--- a/test/psps/allowed_capabilities.yaml
+++ b/test/psps/allowed_capabilities.yaml
@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: allow_capability_sys_nice
-spec:
-  allowedCapabilities:
-    - SYS_NICE
-
--- a/test/psps/allowed_host_paths.yaml
+++ b/test/psps/allowed_host_paths.yaml
@@ -1,11 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_mount_host_usr
-spec:
-  allowedHostPaths:
-    - pathPrefix: /usr
-      readOnly: true
-
--- a/test/psps/allowed_proc_mount_types.yaml
+++ b/test/psps/allowed_proc_mount_types.yaml
@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: allow_default_proc_mount_type
-spec:
-  allowedProcMountTypes:
-    - Default
-
--- a/test/psps/flex_volumes.yaml
+++ b/test/psps/flex_volumes.yaml
@@ -1,13 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_lvm_cifs_flex_volumes
-spec:
-  volumes:
-    - flexVolume
-  allowedFlexVolumes:
-    - driver: example/lvm
-    - driver: example/cifs
-
--- a/test/psps/fs_group_may_run_as.yaml
+++ b/test/psps/fs_group_may_run_as.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_may_run_as_30
-spec:
-  fsGroup:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40
--- a/test/psps/fs_group_must_run_as.yaml
+++ b/test/psps/fs_group_must_run_as.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_must_run_as_30
-spec:
-  fsGroup:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40
--- a/test/psps/fs_group_run_as_any.yaml
+++ b/test/psps/fs_group_run_as_any.yaml
@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_run_as_any
-spec:
-  fsGroup:
-    rule: "RunAsAny"
-
--- a/test/psps/group_may_run_as.yaml
+++ b/test/psps/group_may_run_as.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: group_may_run_as_30
-spec:
-  runAsGroup:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40
--- a/test/psps/group_must_run_as.yaml
+++ b/test/psps/group_must_run_as.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: group_must_run_as_30
-spec:
-  runAsGroup:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40
--- a/test/psps/host_ipc.yaml
+++ b/test/psps/host_ipc.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_host_ipc
-spec:
-  hostIPC: false
--- a/test/psps/host_network.yaml
+++ b/test/psps/host_network.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_host_network
-spec:
-  hostNetwork: false
--- a/test/psps/host_network_ports.yaml
+++ b/test/psps/host_network_ports.yaml
@@ -1,11 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: host_ports_100_200_only
-spec:
-  hostNetwork: true
-  hostPorts:
-    - min: 100
-      max: 200
--- a/test/psps/host_pid.yaml
+++ b/test/psps/host_pid.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_host_pid
-spec:
-  hostPID: false
--- a/test/psps/privilege_escalation.yaml
+++ b/test/psps/privilege_escalation.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_privilege_escalation
-spec:
-  allowPrivilegeEscalation: false
--- a/test/psps/privileged.yaml
+++ b/test/psps/privileged.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_privileged
-spec:
-  privileged: false
--- a/test/psps/privileged_name_with_dashes.yaml
+++ b/test/psps/privileged_name_with_dashes.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no-privileged
-spec:
-  privileged: false
--- a/test/psps/privileged_name_with_spaces.yaml
+++ b/test/psps/privileged_name_with_spaces.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no privileged
-spec:
-  privileged: false
--- a/test/psps/read_only_root_fs.yaml
+++ b/test/psps/read_only_root_fs.yaml
@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: read_only_root_fs
-spec:
-  readOnlyRootFilesystem: true
--- a/test/psps/supplemental_groups_may_run_as_10_20.yaml
+++ b/test/psps/supplemental_groups_may_run_as_10_20.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_10
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 10
-        max: 20
--- a/test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml
+++ b/test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml
@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 10
-        max: 40
-      - min: 10
-        max: 20
--- a/test/psps/supplemental_groups_may_run_as_30_40.yaml
+++ b/test/psps/supplemental_groups_may_run_as_30_40.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40
--- a/test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml
+++ b/test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml
@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_30_10
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40
-      - min: 10
-        max: 15
--- a/test/psps/supplemental_groups_must_run_as_10_20.yaml
+++ b/test/psps/supplemental_groups_must_run_as_10_20.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_10
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 10
-        max: 20
--- a/test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml
+++ b/test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml
@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 10
-        max: 40
-      - min: 10
-        max: 20
--- a/test/psps/supplemental_groups_must_run_as_30_40.yaml
+++ b/test/psps/supplemental_groups_must_run_as_30_40.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40
--- a/test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml
+++ b/test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml
@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_30_10
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40
-      - min: 10
-        max: 15
--- a/test/psps/user_must_run_as.yaml
+++ b/test/psps/user_must_run_as.yaml
@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: user_must_run_as_30
-spec:
-  runAsUser:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40
--- a/test/psps/user_must_run_as_non_root.yaml
+++ b/test/psps/user_must_run_as_non_root.yaml
@@ -1,9 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: user_must_run_as_non_root
-spec:
-  runAsUser:
-    rule: "MustRunAsNonRoot"
--- a/test/psps/volumes.yaml
+++ b/test/psps/volumes.yaml
@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_secret_volumes
-spec:
-  volumes:
-    - secret
-
--- a/test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+++ b/test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
@@ -257,7 +257,7 @@

 - rule: ClusterRole With Wildcard Created
  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
-  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources contains '"*"' or ka.req.role.rules.verbs contains '"*"')
+  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: WARNING
  source: k8s_audit
@@ -265,11 +265,11 @@

 - macro: writable_verbs
  condition: >
-    (ka.req.role.rules.verbs contains create or
-     ka.req.role.rules.verbs contains update or
-     ka.req.role.rules.verbs contains patch or
-     ka.req.role.rules.verbs contains delete or
-     ka.req.role.rules.verbs contains deletecollection)
+    (ka.req.role.rules.verbs intersects (create) or
+     ka.req.role.rules.verbs intersects (update) or
+     ka.req.role.rules.verbs intersects (patch) or
+     ka.req.role.rules.verbs intersects (delete) or
+     ka.req.role.rules.verbs intersects (deletecollection))

 - rule: ClusterRole With Write Privileges Created
  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
--- a/test/run_regression_tests.sh
+++ b/test/run_regression_tests.sh
@@ -100,13 +100,14 @@ function run_tests() {
    # as we're watching the return status when running avocado.
    set +e
    TEST_RC=0
-    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)

    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
        suites+=($SCRIPTDIR/falco_tests_package.yaml)
    fi

    if [ "$SKIP_PLUGINS_TESTS" = false ] ; then
+        suites+=($SCRIPTDIR/falco_k8s_audit_tests.yaml)
        suites+=($SCRIPTDIR/falco_tests_plugins.yaml)
    fi
    
--- a/test/trace_files/CMakeLists.txt
+++ b/test/trace_files/CMakeLists.txt
@@ -1,5 +1,4 @@
 add_subdirectory(k8s_audit)
-add_subdirectory(psp)
 add_subdirectory(plugins)

 include(copy_files_to_build_dir)
--- a/test/trace_files/psp/CMakeLists.txt
+++ b/test/trace_files/psp/CMakeLists.txt
@@ -1,8 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of traces is created at cmake time, not build time
-file(GLOB test_trace_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/*.json"
-	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
-
-copy_files_to_build_dir("${test_trace_files}" psp)
--- a/test/trace_files/psp/capability_add_sys_nice.json
+++ b/test/trace_files/psp/capability_add_sys_nice.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/capability_add_sys_time.json
+++ b/test/trace_files/psp/capability_add_sys_time.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/create_vanilla_nginx_deployment.json
+++ b/test/trace_files/psp/create_vanilla_nginx_deployment.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:49Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:49Z","auditID":"7c8b2603-6a87-4764-b166-49dd7fa46f4c","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78f5d695bd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78f5d695bd-nxqz5","generateName":"nginx-deployment-78f5d695bd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78f5d695bd-nxqz5","uid":"a2ad81ba-d85f-11e8-88b6-080027728ac4","resourceVersion":"237324","creationTimestamp":"2018-10-25T14:09:49Z","labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:49.750328Z","stageTimestamp":"2018-10-25T14:09:49.761315Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/flex_volumes.json
+++ b/test/trace_files/psp/flex_volumes.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"68be6685-eca7-462a-ab53-ae65960ba638","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5575fc4cfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5575fc4cfd-95vmv","generateName":"nginx-deployment-5575fc4cfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5575fc4cfd-95vmv","uid":"bbde0eec-9459-11e9-9dc6-080027cac2d9","resourceVersion":"7185","creationTimestamp":"2019-06-21T19:21:13Z","labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}},{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"},{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T19:21:13.637829Z","stageTimestamp":"2019-06-21T19:21:13.648070Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/fs_group.json
+++ b/test/trace_files/psp/fs_group.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"80e45c71-0618-4e6a-af42-fa13b83f8d03","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6fc66bd775-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6fc66bd775-z6txl","generateName":"nginx-deployment-6fc66bd775-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6fc66bd775-z6txl","uid":"90c2433c-9462-11e9-9dc6-080027cac2d9","resourceVersion":"8201","creationTimestamp":"2019-06-21T20:24:26Z","labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T20:24:26.783217Z","stageTimestamp":"2019-06-21T20:24:26.790787Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_ipc.json
+++ b/test/trace_files/psp/host_ipc.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"e2c061fc-7b81-4e1e-b1d2-a54b5ee93920","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-755c58cb7c-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-755c58cb7c-vrx4n","generateName":"nginx-deployment-755c58cb7c-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-755c58cb7c-vrx4n","uid":"cd67586f-9232-11e9-b061-08002760e39e","resourceVersion":"1628","creationTimestamp":"2019-06-19T01:37:30Z","labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:37:30.360992Z","stageTimestamp":"2019-06-19T01:37:30.365019Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_network.json
+++ b/test/trace_files/psp/host_network.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"f7c424ca-5028-4e01-9d95-199caaae240d","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5dc5447c47-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5dc5447c47-fp5m4","generateName":"nginx-deployment-5dc5447c47-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5dc5447c47-fp5m4","uid":"3558a533-944d-11e9-993f-080027cac2d9","resourceVersion":"619","creationTimestamp":"2019-06-21T17:51:33Z","labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T17:51:33.989119Z","stageTimestamp":"2019-06-21T17:51:33.994788Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_network_ports.json
+++ b/test/trace_files/psp/host_network_ports.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"ff8f799f-6d31-43e8-a55c-95497daca0f2","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-84ffbbb976-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-84ffbbb976-5tnlg","generateName":"nginx-deployment-84ffbbb976-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-84ffbbb976-5tnlg","uid":"87447a8c-944f-11e9-993f-080027cac2d9","resourceVersion":"1841","creationTimestamp":"2019-06-21T18:08:10Z","labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T18:08:10.423301Z","stageTimestamp":"2019-06-21T18:08:10.432566Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_pid.json
+++ b/test/trace_files/psp/host_pid.json
@@ -1,2 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"3df89bb7-9071-4f0c-afab-339ebec678c0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6c6f946f-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6c6f946f-9c727","generateName":"nginx-deployment-6c6f946f-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6c6f946f-9c727","uid":"db5df1e0-9230-11e9-b061-08002760e39e","resourceVersion":"597","creationTimestamp":"2019-06-19T01:23:34Z","labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:23:34.789147Z","stageTimestamp":"2019-06-19T01:23:34.798230Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
-
--- a/test/trace_files/psp/mount_etc_using_host_path.json
+++ b/test/trace_files/psp/mount_etc_using_host_path.json
@@ -1 +0,0 @@
-{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"e456c9cf-9abe-4fa1-8526-e014da96821b","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30,"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"}]},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:36:11.686139Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z","generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"name":"nginx-deployment-7d5b5dd9cf-t8ngb","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}],"resourceVersion":"245060","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-7d5b5dd9cf-t8ngb","uid":"76e27404-d87c-11e8-88b6-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"},{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"},{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:36:11.693676Z","timestamp":"2018-10-25T17:36:11Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}
--- a/test/trace_files/psp/privilege_escalation.json
+++ b/test/trace_files/psp/privilege_escalation.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"eaf82da5-32c1-4acf-83f1-6da93c5242f0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78d8d6bdfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78d8d6bdfd-tps4s","generateName":"nginx-deployment-78d8d6bdfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78d8d6bdfd-tps4s","uid":"550fa465-986c-11e9-81be-080027f777c0","resourceVersion":"15688","creationTimestamp":"2019-06-26T23:44:26Z","labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T23:44:26.246566Z","stageTimestamp":"2019-06-26T23:44:26.252565Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/privileged.json
+++ b/test/trace_files/psp/privileged.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:12Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:12Z","auditID":"a362d22b-db3c-4590-9505-23782f12925f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5cdcc99dbf-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5cdcc99dbf-rgw6z","generateName":"nginx-deployment-5cdcc99dbf-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5cdcc99dbf-rgw6z","uid":"8c845395-d85f-11e8-88b6-080027728ac4","resourceVersion":"237252","creationTimestamp":"2018-10-25T14:09:12Z","labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:12.572676Z","stageTimestamp":"2018-10-25T14:09:12.581541Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/privileged.scap
+++ b/test/trace_files/psp/privileged.scap
--- a/test/trace_files/psp/proc_mount_type_default.json
+++ b/test/trace_files/psp/proc_mount_type_default.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"bda8604a-87cf-4b49-8f2e-48d47c4e1840","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-9c6775499-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-9c6775499-glf7l","generateName":"nginx-deployment-9c6775499-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-9c6775499-glf7l","uid":"abd68488-9874-11e9-81be-080027f777c0","resourceVersion":"20036","creationTimestamp":"2019-06-27T00:44:07Z","labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:44:07.805965Z","stageTimestamp":"2019-06-27T00:44:07.813584Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/proc_mount_type_unmasked.json
+++ b/test/trace_files/psp/proc_mount_type_unmasked.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"bda8604a-87cf-4b49-8f2e-48d47c4e1840","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-9c6775499-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Unmasked"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-9c6775499-glf7l","generateName":"nginx-deployment-9c6775499-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-9c6775499-glf7l","uid":"abd68488-9874-11e9-81be-080027f777c0","resourceVersion":"20036","creationTimestamp":"2019-06-27T00:44:07Z","labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Unmasked"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:44:07.805965Z","stageTimestamp":"2019-06-27T00:44:07.813584Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/read_only_root_fs.json
+++ b/test/trace_files/psp/read_only_root_fs.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"cbcb4206-450e-492c-a44c-26ba811965ca","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-8f966b568-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"8f966b568"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-8f966b568","uid":"30325696-9477-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"readOnlyRootFilesystem":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-8f966b568-ph7gk","generateName":"nginx-deployment-8f966b568-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-8f966b568-ph7gk","uid":"30371f6c-9477-11e9-9dc6-080027cac2d9","resourceVersion":"18855","creationTimestamp":"2019-06-21T22:52:04Z","labels":{"app":"nginx","pod-template-hash":"8f966b568"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-8f966b568","uid":"30325696-9477-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"readOnlyRootFilesystem":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T22:52:04.226660Z","stageTimestamp":"2019-06-21T22:52:04.248318Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_1000_container.json
+++ b/test/trace_files/psp/run_as_group_1000_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_1000_sec_ctx.json
+++ b/test/trace_files/psp/run_as_group_1000_sec_ctx.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
+++ b/test/trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_30_container.json
+++ b/test/trace_files/psp/run_as_group_30_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_30_sec_ctx.json
+++ b/test/trace_files/psp/run_as_group_30_sec_ctx.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
+++ b/test/trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_0_container.json
+++ b/test/trace_files/psp/run_as_user_0_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"39b4acbc-9e5c-451d-a106-104d6be5c87f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-86847998c8-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"86847998c8"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-86847998c8","uid":"eec53a01-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-86847998c8-8r7lr","generateName":"nginx-deployment-86847998c8-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-86847998c8-8r7lr","uid":"eec6db0e-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20888","creationTimestamp":"2019-06-21T23:18:52Z","labels":{"app":"nginx","pod-template-hash":"86847998c8"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-86847998c8","uid":"eec53a01-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:52.443785Z","stageTimestamp":"2019-06-21T23:18:52.447067Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_0_container.scap
+++ b/test/trace_files/psp/run_as_user_0_container.scap
--- a/test/trace_files/psp/run_as_user_0_sec_ctx.json
+++ b/test/trace_files/psp/run_as_user_0_sec_ctx.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
+++ b/test/trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_container.json
+++ b/test/trace_files/psp/run_as_user_1000_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_sec_ctx.json
+++ b/test/trace_files/psp/run_as_user_1000_sec_ctx.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
+++ b/test/trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
+++ b/test/trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_30_container.json
+++ b/test/trace_files/psp/run_as_user_30_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_30_sec_ctx.json
+++ b/test/trace_files/psp/run_as_user_30_sec_ctx.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
+++ b/test/trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_65534_container.scap
+++ b/test/trace_files/psp/run_as_user_65534_container.scap
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
				`@@ -1,2 +0,0 @@`
				{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"3df89bb7-9071-4f0c-afab-339ebec678c0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6c6f946f-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6c6f946f-9c727","generateName":"nginx-deployment-6c6f946f-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6c6f946f-9c727","uid":"db5df1e0-9230-11e9-b061-08002760e39e","resourceVersion":"597","creationTimestamp":"2019-06-19T01:23:34Z","labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:23:34.789147Z","stageTimestamp":"2019-06-19T01:23:34.798230Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
				`@@ -1 +0,0 @@`
				{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"e456c9cf-9abe-4fa1-8526-e014da96821b","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30,"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"}]},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:36:11.686139Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z","generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"name":"nginx-deployment-7d5b5dd9cf-t8ngb","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}],"resourceVersion":"245060","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-7d5b5dd9cf-t8ngb","uid":"76e27404-d87c-11e8-88b6-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"},{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"},{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:36:11.693676Z","timestamp":"2018-10-25T17:36:11Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}