From 59ce2458fa7bf31ab8a6d1a2412c73efebd1576c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 7 Dec 2016 15:15:36 -0800 Subject: [PATCH] Make google_containers/kube-proxy a trusted image. Add google_containers/kube-proxy as a trusted image (can be run privileged, can mount sensitive filesystems). While our k8s deployments run kube-proxy via the hyperkube image, evidently it's sometimes run via its own image. This is one of the fixes for #156. Also update the output message for this rule. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b554c9f5e39..2ae9b8b90fa 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -287,12 +287,12 @@ priority: WARNING - macro: trusted_containers - condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig or container.image startswith gcr.io/google_containers/hyperkube) + condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig or container.image startswith gcr.io/google_containers/hyperkube or container.image startswith gcr.io/google_containers/kube-proxy) - rule: File Open by Privileged Container desc: Any open by a privileged container. Exceptions are made for known trusted images. condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers - output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name) + output: File opened for read/write by privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name) priority: WARNING - macro: sensitive_mount