From f7b4b5e1f104c9578d53076db8ee9fe625e5f19b Mon Sep 17 00:00:00 2001 From: Leo Di Donato Date: Mon, 21 Jun 2021 11:22:37 +0200 Subject: [PATCH 1/3] update(rules): remove falco_hostnetwork_images list (unused) The `falco_hostnetwork_images` list is unused. This PR removes it to avoid the warning. ```console When reading rules content: 1 warnings: list falco_hostnetwork_images not refered to by any rule/macro/list ``` Signed-off-by: Leonardo Di Donato --- rules/falco_rules.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2e160c9778a..89a1eae1996 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1871,19 +1871,6 @@ container.image.repository in (falco_sensitive_mount_images) or container.image.repository startswith quay.io/sysdig/) -# These container images are allowed to run with hostnetwork=true -- list: falco_hostnetwork_images - items: [ - gcr.io/google-containers/prometheus-to-sd, - gcr.io/projectcalico-org/typha, - gcr.io/projectcalico-org/node, - gke.gcr.io/gke-metadata-server, - gke.gcr.io/kube-proxy, - gke.gcr.io/netd-amd64, - k8s.gcr.io/ip-masq-agent-amd64 - k8s.gcr.io/prometheus-to-sd, - ] - # Add conditions to this macro (probably in a separate file, # overwriting this macro) to specify additional containers that are # allowed to perform sensitive mounts. From d3d3f5765edccb6c9506b939f4aec781824e3fa5 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Wed, 23 Jun 2021 18:41:02 +0200 Subject: [PATCH 2/3] update(rules): move falco_hostnetwork_images list to k8s audit rules Co-authored-by: Leonardo Grasso Signed-off-by: Leonardo Di Donato --- rules/k8s_audit_rules.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index 71af78b3468..73611abf3dc 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -152,6 +152,19 @@ source: k8s_audit tags: [k8s] +# These container images are allowed to run with hostnetwork=true +- list: falco_hostnetwork_images + items: [ + gcr.io/google-containers/prometheus-to-sd, + gcr.io/projectcalico-org/typha, + gcr.io/projectcalico-org/node, + gke.gcr.io/gke-metadata-server, + gke.gcr.io/kube-proxy, + gke.gcr.io/netd-amd64, + k8s.gcr.io/ip-masq-agent-amd64 + k8s.gcr.io/prometheus-to-sd, + ] + # Corresponds to K8s CIS Benchmark 1.7.4 - rule: Create HostNetwork Pod desc: Detect an attempt to start a pod using the host network. From 85dc62e0cb15eb95d9ed7d7d16e4b27c424bf57b Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Mon, 24 Jan 2022 14:16:35 +0100 Subject: [PATCH 3/3] fix(test): falco_hostnetwork_images list is now in k8s_audit_rules.yaml Co-Authored-by: Jason Dellaluce Signed-off-by: Leonardo Grasso --- test/falco_k8s_audit_tests.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/falco_k8s_audit_tests.yaml b/test/falco_k8s_audit_tests.yaml index ad8ccd3ffa7..b382d4833bf 100644 --- a/test/falco_k8s_audit_tests.yaml +++ b/test/falco_k8s_audit_tests.yaml @@ -49,6 +49,7 @@ trace_files: !mux detect: False rules_file: - ../rules/falco_rules.yaml + - ../rules/k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json @@ -74,6 +75,7 @@ trace_files: !mux detect: False rules_file: - ../rules/falco_rules.yaml + - ../rules/k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json