Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add compat old k8s filter fields #893

merged 2 commits into from Oct 21, 2019

Add compat old k8s filter fields #893

merged 2 commits into from Oct 21, 2019


Copy link

mstemm commented Oct 18, 2019

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind flaky-test

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area examples

/area rules

/area integrations

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fix falco engine compatibility with older k8s audit rules files.
mstemm added 2 commits Oct 17, 2019
As a part of the changes in
#826, we added several
breaking changes to rules files like renaming/removing some filter
fields. This isn't ideal for customers who are using their own rules

We shouldn't break older rules files in this way, so add some minimal
backwards compatibility which adds back the fields that were
removed *and* actually used in k8s_audit_rules.yaml. They have the same
functionality as before. One exception is
ka.req.binding.subject.has_name, which was only used in a single output
field for debugging and shouldn't have been in the rules file in the
first place. This always returns the string "N/A".

Signed-off-by: Mark Stemm <>
Add tests that verify that this falco is backwards compatible with the
v4 k8s audit rules file. It includes tests for:

 - checking images by repository/image:
 - checking privileged status of any container in a pod:
 - checking host_network: ka.req.container.host_network

The tests were copied from the v5 versions of the tests, when necessary
adding back v4-compatible versions of macros like

Signed-off-by: Mark Stemm <>
@mstemm mstemm force-pushed the add-compat-old-k8s-filter-fields branch from 09ec86c to cab71eb Oct 18, 2019
fntlnz approved these changes Oct 20, 2019

This comment has been minimized.

Copy link

poiana commented Oct 20, 2019

LGTM label has been added.

Git tree hash: 928c5565de658712e9ff11b8ea7d18aef7bd2098

@poiana poiana added the lgtm label Oct 20, 2019

This comment has been minimized.

Copy link

poiana commented Oct 20, 2019


This pull-request has been approved by: fntlnz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added the approved label Oct 20, 2019

This comment has been minimized.

Copy link

fntlnz commented Oct 20, 2019

Thanks for fixing this @mstemm

@mstemm mstemm merged commit 3fafac3 into dev Oct 21, 2019
3 of 4 checks passed
3 of 4 checks passed
tide Not mergeable. Job Travis CI - Pull Request has not succeeded.
Travis CI - Branch Build Passed
Travis CI - Pull Request Build Passed
dco All commits have Signed-off-by
@poiana poiana deleted the add-compat-old-k8s-filter-fields branch Oct 21, 2019
@fntlnz fntlnz added this to the 0.18.0 milestone Oct 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.