Skip to content

Commit

Permalink
rule(Service Account Created in Kube Namespace): only detect sa creat…
Browse files Browse the repository at this point in the history 
…ed in kube namespace with success

Signed-off-by: kaizhe <[email protected]>
  • Loading branch information
@Kaizhe @poiana
Kaizhe authored and poiana committed Mar 27, 2020
1 parent 4df5fe8 commit 6834649
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/k8s_audit_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@
# Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public)
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
priority: WARNING
source: k8s_audit
Expand Down

0 comments on commit 6834649

Please sign in to comment.