falco - cert-manager controller alert

[crssnd]

Describe the bug Falco is generating the below host alert on a test cluster setup:

{"output":"07:46:35.784669247: Notice Unexpected connection to K8s API Server from container (command=controller --v=2 --cluster-resource-namespace=cert-manager --leader-election-namespace=kube-system k8s.ns=cert-manager k8s.pod=cert-manager-container= image=quay.io/jetstack/cert-manager-controller:v1.8.2 connection=10.244.105.123:32986->10.244.0.5:443) k8s.ns=cert-manager k8s.pod=cert-manager container= k8s.ns=cert-manager k8s.pod=cert-manager container= k8s.ns=cert-manager k8s.pod=cert-manager- container= k8s.ns=cert-manager k8s.pod=cert-manager container=k8s.ns=cert-manager k8s.pod=cert-manager- container= k8s.ns=cert-manager k8s.pod=cert-manager- container=","priority":"Notice","rule":"Contact K8S API Server From Container","source":"syscall","tags":["container","k8s","mitre_discovery","network"],"time":"2022-08-11T07:46:35.784669247Z", "output_fields": {"container.id":"","container.image.repository":"quay.io/jetstack/cert-manager-controller","container.image.tag":"v1.8.2","evt.time":1660203995784669247,"fd.name":"10.244.105.123:32986->10.244.0.5:443","k8s.ns.name":"cert-manager","k8s.pod.name":"cert-manager-","proc.cmdline":"controller --v=2 --cluster-resource-namespace=cert-manager --leader-election-namespace=kube-system"}}

Expected behaviour Alert not being triggered or an exception added if it's a know behaviour that doesn't affect our security.

Definition of Done

• wait until we complete the falco v0.33 upgrade task
• check if the alert is still present (check after 24h or 48h)
• if still there investigate the issue and propose a solution