Last active
November 30, 2023 00:43
-
-
Save mstemm/f521813759bcc56d81c31db4163ba378 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Split all objects and pass them to each filter below | |
| # Create/Delete Namespace | |
| (select(.verb == "create" and .objectRef.resource=="namespaces") | | |
| "[" + .stageTimestamp + "] " + "Namespace Created: name=" + .objectRef.name), | |
| (select(.verb == "delete" and .objectRef.resource=="namespaces") | | |
| "[" + .stageTimestamp + "] " + "Namespace Deleted: name=" + .objectRef.name), | |
| # Create/Delete Deployment | |
| (select(.verb == "create" and .objectRef.resource=="deployments") | | |
| "[" + .stageTimestamp + "] " + "Deployment Created: Name=" + .objectRef.name + | |
| " Image=" + .requestObject.spec.template.spec.containers[0].image), | |
| (select(.verb == "delete" and .objectRef.resource=="deployments") | | |
| "[" + .stageTimestamp + "] " + "Deployment Deleted: Name=" + .objectRef.name), | |
| # Create/Delete Service | |
| (select(.verb == "create" and .objectRef.resource=="services") | | |
| "[" + .stageTimestamp + "] " + "Service Created: name=" + .objectRef.name), | |
| (select(.verb == "delete" and .objectRef.resource=="services") | | |
| "[" + .stageTimestamp + "] " + "Service Deleted: name=" + .objectRef.name), | |
| # Create/Delete Service Account | |
| (select(.verb == "create" and .objectRef.resource=="serviceaccounts") | | |
| "[" + .stageTimestamp + "] " + "Service Account Created: name=" + .objectRef.name), | |
| (select(.verb == "delete" and .objectRef.resource=="serviceaccounts") | | |
| "[" + .stageTimestamp + "] " + "Service Account Deleted: name=" + .objectRef.name), | |
| # Create Configmap containing password or AWS Private Key | |
| (select(.verb == "create" and .objectRef.resource=="configmaps" and | |
| (.requestObject.data | tostring | contains("aws_access_key_id"))) | | |
| "[" + .stageTimestamp + "] " + "Configmap created containing private credentials: name=" + .objectRef.name + | |
| " Configmap= "+ (.requestObject.data | tostring)), | |
| # Attach to Running Pod | |
| (select(.verb == "create" and .objectRef.resource=="pods" and | |
| .objectRef.subresource=="exec") | | |
| "[" + .stageTimestamp + "] " + "Exec into running pod: name=" + .objectRef.name), | |
| # Create Serviceaccount bound to cluster-admin role | |
| (select(.verb == "create" and .objectRef.resource=="clusterrolebindings" and | |
| .requestObject.roleRef.name=="cluster-admin") | | |
| "[" + .stageTimestamp + "] " + "Clusterrolebinding created to cluster-admin role: name=" + .objectRef.name), | |
| # Create overly permissive cluster role | |
| (select(.verb == "create" and .objectRef.resource=="clusterroles" and | |
| (.requestObject.rules | tostring | contains("\"*\""))) | | |
| "[" + .stageTimestamp + "] " + "Overly permissive cluster role created: name=" + .objectRef.name + | |
| " rules=" + (.requestObject.rules | tostring)), | |
| # Create pod exec cluster role | |
| (select(.verb == "create" and .objectRef.resource=="clusterroles" and | |
| (.requestObject.rules | tostring | contains("\"pods/exec\""))) | | |
| "[" + .stageTimestamp + "] " + "Pod exec cluster role created: name=" + .objectRef.name + | |
| " rules=" + (.requestObject.rules | tostring)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment