mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
e8c08b9a77
Previously, the exceptions for Launch Privileged Container/Launch Sensitive Mount Container came from a list of "trusted" images and/or a macro that defined "trusted" containers. We want more fine-grained control over the exceptions for these rules, so split them into exception lists/macros that are specific to each rule. This defines: - falco_privileged_images: only those images that are known to require privileged=true - falco_privileged_containers: uses privileged_images and (for now) still allows all openshift images - user_privileged_containers: allows user exceptions - falco_sensitive_mount_images: only thoe images that are known to perform sensitive mounts - falco_sensitive_mount_containers: uses sensitive_mount_images - user_sensitive_mount_containers: allows user exceptions For backwards compatibility purposes only, we keep the trusted_images list and user_trusted_containers macro and they are still used as exceptions for both rules. Comments recommend using the more fine-grained alternatives, though. While defining these lists, also do another survey to see if they still require these permissions and remove them if they didn't. Removed: - quay.io/coreos/flannel - consul Moved to sensitive mount only: - gcr.io/google_containers/hyperkube - datadog - gliderlabs/logspout Finally, get rid of the k8s audit-specific lists of privileged/sensitive mount images, relying on the ones in falco_rules.yaml. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>