Mark Stemm 357da40fc4 Only use metadata in k8s audit event for secrets ...

Instead of using the request object to identify service account tokens,
exclude any secrets activity by system users (e.g. users starting with
"system:"). This allows the rules to work on k8s audit events at
Metadata level instead of RequestResponse level.

Also change the example objects for automated tests to ones collected at
Metadata level.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

2020-04-22 21:00:38 +02:00

..

k8s_audit

Only use metadata in k8s audit event for secrets

2020-04-22 21:00:38 +02:00

psp

Add automated tests for K8s PSP Support

2019-10-15 19:45:31 +02:00

cat_write.scap

…

CMakeLists.txt

Add automated tests for K8s PSP Support

2019-10-15 19:45:31 +02:00

connect_localhost.scap

Unit test for fd.net + in operator fixes (#343)

2018-04-04 14:23:21 -07:00

empty.scap

Remove containers from empty capture file

2019-07-31 12:18:47 -07:00

open-multiple-files.scap

Add automated tests for tagged rules

2017-02-08 11:08:36 -08:00

ping_sendto.scap

Flag excess drops (#561)

2019-03-27 15:50:39 -07:00

syscall.scap

Properly support syscalls in filter conditions (#352)

2018-04-17 17:14:45 -07:00