How to I stop events generating for particular pod.

falcosecurity / falco

Cloud Native Runtime Security

https://falco.org

Apache License 2.0

7.3k stars 897 forks source link

How to I stop events generating for particular pod. #2805

Open manojdeshmukh45 opened 1 year ago

manojdeshmukh45 commented 1 year ago

I need to drop all events related one particular container

I Userd this rule

rule: Exclude All Alerts and Drop Events for Specific Pod Name desc: Exclude all alerts and drop events for a specific pod name condition: container.name == "b2auto-re" drop: true

Here its giving me error that there is no output an dpriority key, if I add those two again ill get an alert as "INFO Exclude All Alerts and Drop Events for Specific Pod Name".

where I dont need an alert at all.

Andreagit97 commented 1 year ago

ei @manojdeshmukh45 probably you need to add container.name != "b2auto-re" in all the rules from which you don't want to receive alerts

The rule you posted do nothing in the Falco lingo :/

Andreagit97 commented 1 year ago

I read the thread here https://kubernetes.slack.com/archives/CMWH3EH32/p1694596477483489, this seems more a feature request than a bug so i will change the label

Andreagit97 commented 1 year ago

maybe we could add the equivalent of -p but for the conditions, WDYT? @falcosecurity/falco-maintainers ?

leogr commented 1 year ago

maybe we could add the equivalent of -p but for the conditions, WDYT? @falcosecurity/falco-maintainers ?

Not sure. Since this directly affects rules evaluation, it should be part of a rules file (and not an option), IMO.

Anyway, I agree we should think about this feature. It looks like a global condition exception.

poiana commented 8 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

leogr commented 8 months ago

/remove-lifecycle stale

poiana commented 5 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 5 months ago

/remove-lifecycle stale

poiana commented 2 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 2 months ago

/remove-lifecycle stale