mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
357da40fc4
Instead of using the request object to identify service account tokens, exclude any secrets activity by system users (e.g. users starting with "system:"). This allows the rules to work on k8s audit events at Metadata level instead of RequestResponse level. Also change the example objects for automated tests to ones collected at Metadata level. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>