vicenteherrera/full_k8s_administrative_access.yaml

## full_k8s_administrative_access.yaml
- rule: Full K8s Administrative Access
  desc: Detect any k8s operation by an administrator with full access.
  condition: >
    kevt  and non_system_user  and ka.user.name in (admin_k8s_users)  and not allowed_full_admin_users
  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s, NIST, NIST_3.1, PCI, PCI_DSS_2.1]
	- rule: Full K8s Administrative Access
	desc: Detect any k8s operation by an administrator with full access.
	condition: >
	kevt and non_system_user and ka.user.name in (admin_k8s_users) and not allowed_full_admin_users
	output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
	priority: WARNING
	source: k8s_audit
	tags: [k8s, NIST, NIST_3.1, PCI, PCI_DSS_2.1]