Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rule(Disallowed K8s User): exclude allowed eks users #1960

Merged
merged 2 commits into from
Apr 1, 2022
Merged

rule(Disallowed K8s User): exclude allowed eks users #1960

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
12656c3
Added eks_allowed_k8s_users list to whitelist EKS users
darryk10 Mar 25, 2022
1b0c4d5
Fix spaces
darryk10 Mar 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions rules/k8s_audit_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,24 @@
cluster-autoscaler,
"system:addon-manager",
"cloud-controller-manager",
"eks:node-manager",
"system:kube-controller-manager"
]

- list: eks_allowed_k8s_users
items: [
"eks:node-manager",
"eks:certificate-controller",
"eks:fargate-scheduler",
"eks:k8s-metrics",
"eks:authenticator",
"eks:cluster-event-watcher",
"eks:nodewatcher",
"eks:pod-identity-mutating-webhook"
]
-
- rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING
source: k8s_audit
Expand Down