From 6efb16b1a600978842b04dda3705749d381ae9b0 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Thu, 10 Sep 2020 10:47:22 -0700
Subject: [PATCH] Rule(Disallowed K8s User): quote colons

It turns out if you read this rules file with falco versions 0.24.0 and
earlier, it can't parse the bare string containing colons:

(Ignore the misleading error context, that's a different problem):

```
Thu Sep 10 10:31:23 2020: Falco initialized with configuration file
/etc/falco/falco.yaml
Thu Sep 10 10:31:23 2020: Loading rules from file
/tmp/k8s_audit_rules.yaml:
Thu Sep 10 10:31:23 2020: Runtime error: found unexpected ':'
---
  source: k8s_audit
    tags: [k8s]
    # In a local/user rules file, you could override this macro to
```

I think the change in 0.25.0 to use a bundled libyaml fixed the problem,
as it also upgraded libyaml to a version that fixed
https://github.com/yaml/libyaml/pull/104.

Work around the problem with earlier falco releases by quoting the colon.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 k8s_audit_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s_audit_rules.yaml b/k8s_audit_rules.yaml
index ddef9093..67e1b327 100644
--- a/k8s_audit_rules.yaml
+++ b/k8s_audit_rules.yaml
@@ -49,7 +49,7 @@
     "kubernetes-admin",
     vertical_pod_autoscaler_users,
     cluster-autoscaler,
-    system:addon-manager
+    "system:addon-manager"
     ]
 
 - rule: Disallowed K8s User