sboschman
commented
2 months ago Hopefully #468 fixes this as well, as this seems to be related to the standard k8saudit rules.
Open jtl-novatec opened 2 months ago
sboschman
commented
2 months ago Hopefully #468 fixes this as well, as this seems to be related to the standard k8saudit rules.
jtl-novatec
commented
2 months ago The EKS audit plugin has a similar version property, does this have to be bumped as well?
sboschman
commented
2 months ago I don't think so, as the k8saudit-eks plugin itself defines no rules. It uses the default k8saudit rules (from the k8saudit plugin).
falcosecurity k8saudit plugin ghcr.io falcosecurity/plugins/plugin/k8saudit
falcosecurity k8saudit-eks plugin ghcr.io falcosecurity/plugins/plugin/k8saudit-eks
falcosecurity k8saudit-gke plugin ghcr.io falcosecurity/plugins/plugin/k8saudit-gke
falcosecurity k8saudit-gke-rules rulesfile ghcr.io falcosecurity/plugins/ruleset/k8saudit-gke
falcosecurity k8saudit-rules rulesfile ghcr.io falcosecurity/plugins/ruleset/k8saudit
Issif
commented
2 months ago Exactly, the k8saudit-eks plugin relies on the k8saudit-rules. By installing the latest version, it should be ok thanks to @sboschman.
Describe the bug
When I looked at the
k8s_audit_rules.yamlof my falco deployment (uses thek8saudit-eksplugin), I noticed that there are rules that use variables which aren't defined anywhere. For example:falco_privileged_images-> only exists inside falco_rules.yamlfalco_sensitive_mount_images-> doesn't get defined anywhere (there is only a comment about it in falco_rules.yaml)The
rules_fileexample of the plugin's documentation suggest that you don't mountfalco_rules.yamlin the deployment. Therefore, users cannot specify an overwrite to append items to that list.Expected behaviour
The following commit seems to related to this problem as it tries to introduce / rename lists from
falco_tok8s_audit_. The current version of the rules files already addresses this problem (see). However, it looks like thek8saudit-eksplugin hasn't been updated accordingly.Environment
Kubernetes via Helm Chart falco-4.3.0