From 589f1b8637a161aaf42537b40c09acb92ff4d459 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 20 Oct 2020 15:10:58 -0700 Subject: [PATCH] rule(Full K8s... Access): fix users list Use the right list name in the rule Full K8s Administrative Access--it was using the nonexistent list admin_k8s_users, so it was just using the string "admin_k8s_users". Signed-off-by: Mark Stemm --- rules/k8s_audit_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index 67e1b327a67..d687a08a075 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -536,7 +536,7 @@ condition: > kevt and non_system_user - and ka.user.name in (admin_k8s_users) + and ka.user.name in (full_admin_k8s_users) and not allowed_full_admin_users output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) priority: WARNING