eks audit plugin shows events for system users. #455
Comments
|
Anyone got any ideas here? anyone else experiencing this? |
|
Hi, This alert is totally legit, it indicates the credentials of the node are used to reached the K8s API. If you take a look at the EKS documentation, it's pretty clear: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-remediate-kubernetes.html#compromised-kubernetes-user I guess your config is not correct for the usage of some ServiceAccount. In my own EKS cluster, the list: https://github.com/falcosecurity/plugins/blob/main/plugins/k8saudit/rules/k8s_audit_rules.yaml#L70,L71 is enough. |
|
This rule should prevent the alert from firing but it's not |
|
Have you try: - rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
condition: kevt and not system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING
source: k8s_audit
tags: [k8s]
# Generally exclude users starting with "system:"
- macro: system_user
condition: ka.user.name startswith system:Just to be sure it's not an issue of double negation or quotes? |
|
I have not. These are the default rules provided from this repo though. If I get a chance I will test it but currently swamped with higher priority things right now. |
Describe the bug
the eks audit plugin is emitting events for "disallowed k8s user" for system users. There are rules to exclude system users but they are apparently not being honored.
User is
system:node:ip-10-30-63-166.ec2.internalHow to reproduce it
Deploy falco with only the eks k8s plugin enabled using the falco 4.2.4 helm chart.
Expected behaviour
Events done by system users should be ignored.
Screenshots
Environment
Helm
Additional context
The text was updated successfully, but these errors were encountered: