rule(System ClusterRole Modified/Deleted): + role

Add system:managed-certificate-controller as a system role that can be modified. Can be changed as a part of upgrades. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
falcosecurity · Aug 28, 2020 · 991a2d9 · 991a2d9
1 parent 4d6b6ed
commit 991a2d9
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
@@ -311,7 +311,8 @@
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
   desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
+             not ka.target.name in (system:coredns, system:managed-certificate-controller)
   output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
   priority: WARNING
   source: k8s_audit