Open jtl-novatec opened 2 months ago
Hopefully #468 fixes this as well, as this seems to be related to the standard k8saudit
rules.
The EKS audit plugin has a similar version property, does this have to be bumped as well?
I don't think so, as the k8saudit-eks plugin itself defines no rules. It uses the default k8saudit
rules (from the k8saudit
plugin).
falcosecurity k8saudit plugin ghcr.io falcosecurity/plugins/plugin/k8saudit
falcosecurity k8saudit-eks plugin ghcr.io falcosecurity/plugins/plugin/k8saudit-eks
falcosecurity k8saudit-gke plugin ghcr.io falcosecurity/plugins/plugin/k8saudit-gke
falcosecurity k8saudit-gke-rules rulesfile ghcr.io falcosecurity/plugins/ruleset/k8saudit-gke
falcosecurity k8saudit-rules rulesfile ghcr.io falcosecurity/plugins/ruleset/k8saudit
Exactly, the k8saudit-eks
plugin relies on the k8saudit-rules
. By installing the latest version, it should be ok thanks to @sboschman.
Describe the bug
When I looked at the
k8s_audit_rules.yaml
of my falco deployment (uses thek8saudit-eks
plugin), I noticed that there are rules that use variables which aren't defined anywhere. For example:falco_privileged_images
-> only exists inside falco_rules.yamlfalco_sensitive_mount_images
-> doesn't get defined anywhere (there is only a comment about it in falco_rules.yaml)The
rules_file
example of the plugin's documentation suggest that you don't mountfalco_rules.yaml
in the deployment. Therefore, users cannot specify an overwrite to append items to that list.Expected behaviour
The following commit seems to related to this problem as it tries to introduce / rename lists from
falco_
tok8s_audit_
. The current version of the rules files already addresses this problem (see). However, it looks like thek8saudit-eks
plugin hasn't been updated accordingly.Environment
Kubernetes via Helm Chart falco-4.3.0