Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add compat old k8s filter fields #893
What type of PR is this?
Any specific area of the project related to this PR?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
As a part of the changes in #826, we added several breaking changes to rules files like renaming/removing some filter fields. This isn't ideal for customers who are using their own rules files. We shouldn't break older rules files in this way, so add some minimal backwards compatibility which adds back the fields that were removed *and* actually used in k8s_audit_rules.yaml. They have the same functionality as before. One exception is ka.req.binding.subject.has_name, which was only used in a single output field for debugging and shouldn't have been in the rules file in the first place. This always returns the string "N/A". Signed-off-by: Mark Stemm <email@example.com>
Add tests that verify that this falco is backwards compatible with the v4 k8s audit rules file. It includes tests for: - checking images by repository/image: ka.req.container.image/ka.req.container.image.repository - checking privileged status of any container in a pod: ka.req.container.privileged - checking host_network: ka.req.container.host_network The tests were copied from the v5 versions of the tests, when necessary adding back v4-compatible versions of macros like allowed_k8s_containers. Signed-off-by: Mark Stemm <firstname.lastname@example.org>
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: fntlnz
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing