Skip to content

Commit

Permalink
Rule(Disallowed K8s User): quote colons
Browse files Browse the repository at this point in the history 
It turns out if you read this rules file with falco versions 0.24.0 and
earlier, it can't parse the bare string containing colons:

(Ignore the misleading error context, that's a different problem):

```
Thu Sep 10 10:31:23 2020: Falco initialized with configuration file
/etc/falco/falco.yaml
Thu Sep 10 10:31:23 2020: Loading rules from file
/tmp/k8s_audit_rules.yaml:
Thu Sep 10 10:31:23 2020: Runtime error: found unexpected ':'
---
  source: k8s_audit
    tags: [k8s]
    # In a local/user rules file, you could override this macro to
```

I think the change in 0.25.0 to use a bundled libyaml fixed the problem,
as it also upgraded libyaml to a version that fixed
yaml/libyaml#104.

Work around the problem with earlier falco releases by quoting the colon.

Signed-off-by: Mark Stemm <[email protected]>
  • Loading branch information
@mstemm @poiana
mstemm authored and poiana committed Sep 23, 2020
1 parent 7a9e652 commit b4800b7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/k8s_audit_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"kubernetes-admin",
vertical_pod_autoscaler_users,
cluster-autoscaler,
system:addon-manager
"system:addon-manager"
]

- rule: Disallowed K8s User
Expand Down

0 comments on commit b4800b7

Please sign in to comment.