From 6834649fa58ffae36382b2f79536efdccd193f0a Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Tue, 24 Mar 2020 12:02:08 -0700
Subject: [PATCH] rule(Service Account Created in Kube Namespace): only detect
 sa created in kube namespace with success

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/k8s_audit_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index aa03ed41b7b..f735e5446f7 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -225,7 +225,7 @@
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
   desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public)
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
   output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
   priority: WARNING
   source: k8s_audit