Skip to content

Instantly share code, notes, and snippets.

@vicenteherrera

vicenteherrera/disallowed_k8s_user.yaml

Created March 23, 2020 18:17
Show Gist options
  • Save vicenteherrera/bce1c73c48a25d025daad296e4dfaf9d to your computer and use it in GitHub Desktop.
Save vicenteherrera/bce1c73c48a25d025daad296e4dfaf9d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
disallowed_k8s_user.yaml
- rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING
source: k8s_audit
tags: [k8s]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment