falco/test/trace_files/psp/privilege_escalation.json

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"eaf82da5-32c1-4acf-83f1-6da93c5242f0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78d8d6bdfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78d8d6bdfd-tps4s","generateName":"nginx-deployment-78d8d6bdfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78d8d6bdfd-tps4s","uid":"550fa465-986c-11e9-81be-080027f777c0","resourceVersion":"15688","creationTimestamp":"2019-06-26T23:44:26Z","labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T23:44:26.246566Z","stageTimestamp":"2019-06-26T23:44:26.252565Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}