rules icon indicating copy to clipboard operation
rules copied to clipboard
verified publisher icon falcosecurity

Update k8s_containers macro to allow more to contact k8s API server

Open mossroy opened this issue 2 months ago • 2 comments

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

This PR enhances the existing stable rule " Contact K8S API Server From Container" with a few adjustments:

  • grafana uses k8s-sidecar containers, that call the API server
  • snapshot-controller (from sig-storage) needs the API server
  • metallb needs the API server
  • velero/velero container can also be prefixed with docker.io/
  • nfs-subdir-external-provisioner (from sig-storage) needs the API server
  • prometheus containers use the API server as a target (with default configuration of kube-prometheus-stack helm chart)

There's another scenario that can trigger this rule with the kube-prometheus-stack helm chart. Depending on your values.yaml, it can run a job that deploys the CRDs. This job uses a container based on registry.k8s.io/kubectl image with command kubectl apply --server-side --filename /tmp/crds.yaml, that triggers this rule. However, I did not find a clean and generic way to implement an exception for it

mossroy avatar Oct 24 '25 19:10 mossroy

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mossroy Once this PR has been reviewed and has the lgtm label, please assign loresuso for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Oct 24 '25 19:10 poiana

Welcome @mossroy! It looks like this is your first PR to falcosecurity/rules 🎉

poiana avatar Oct 24 '25 19:10 poiana