You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Take the field ka.req.pod.containers.image.repository from the k8s_audit source, there a lot of important rules based on this field but the only way to create exceptions is to hard-code the image names into lists, because the only operators that can be used with it are set operators (in, intersect).
If it were possible to use the same rich string operators with the individual elements of lists, a generic rule like ka.req.pod.containers.image.repository startswith ('registry1.example', 'registry2.example') would be possible.
Feature
I think it's natural and clean to have the current operators to "just work" with list fields (like the startswith example above), but another expression like allof would be good too.
Alternatives
Something like falcosecurity/libs#1925 could fill the role (partially?) in a much less elegant way by concatenating the whole list and doing some weird regex on it.
The text was updated successfully, but these errors were encountered:
Motivation
Take the field
ka.req.pod.containers.image.repositoryfrom the k8s_audit source, there a lot of important rules based on this field but the only way to create exceptions is to hard-code the image names into lists, because the only operators that can be used with it are set operators (in,intersect).If it were possible to use the same rich string operators with the individual elements of lists, a generic rule like
ka.req.pod.containers.image.repository startswith ('registry1.example', 'registry2.example')would be possible.Feature
I think it's natural and clean to have the current operators to "just work" with list fields (like the
startswithexample above), but another expression likeallofwould be good too.Alternatives
Something like falcosecurity/libs#1925 could fill the role (partially?) in a much less elegant way by concatenating the whole list and doing some weird regex on it.
The text was updated successfully, but these errors were encountered: