Make google_containers/kube-proxy a trusted image.

Add google_containers/kube-proxy as a trusted image (can be run privileged, can mount sensitive filesystems). While our k8s deployments run kube-proxy via the hyperkube image, evidently it's sometimes run via its own image. This is one of the fixes for #156. Also update the output message for this rule.
falcosecurity · Dec 7, 2016 · 27f4935 · 27f4935
1 parent a616301
commit 27f4935
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -287,12 +287,12 @@
   priority: WARNING
 
 - macro: trusted_containers
-  condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig or container.image startswith gcr.io/google_containers/hyperkube)
+  condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig or container.image startswith gcr.io/google_containers/hyperkube or container.image startswith gcr.io/google_containers/kube-proxy)
 
 - rule: File Open by Privileged Container
   desc: Any open by a privileged container. Exceptions are made for known trusted images.
   condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
-  output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
+  output: File opened for read/write by privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
   priority: WARNING
 
 - macro: sensitive_mount