Falcoctl should be excluded from the `Create Privileged Pod` alert rule in `k8saudit` plugin

[mc2285]

Describe the bug

The k8saudit default rule flag Falco pod creation as a warning (Create Privileged Pod). This should not be the case and, reading the rule file, is an unintended behavior. Some logic is in place to prevent this from happening yet it is incomplete and therefore ineffective: falco image is included but falcoctl not.

How to reproduce it

1. Install Falco wit k8saudit via Helm with default rule set
2. Enable any output and forward events that are at least a WARNING to it
3. Restart the Falco pod and get a notification

Expected behaviour

Falco should not flag itself. This is definitely uneccessary noise.

Screenshots

Environment

• Falco version: Helm chart v5.0.3

• Cloud provider or hardware configuration: Unrelated

• OS: Problem is os-independent, Leap Micro 6.1

• Kernel: 6.4

• Installation method: Kubernetes via Helm

[mc2285]

That was my solution to the problem:

- list: k8s_audit_privileged_images
  items:
    - docker.io/falcosecurity/falcoctl
  override:
    items: append
- list: k8s_audit_sensitive_mount_images
  items:
    - docker.io/falcosecurity/falcoctl
  override:
    items: append

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[mc2285]

I would say it's still relevant...