add 'kubectl' process name to allowlist (aquasecurity#1549)

EBWi11 · May 31, 2022 · 1631ebd · 1631ebd
1 parent 9ef2e5f
commit 1631ebd
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/signatures/rego/k8s_service_account_token.rego b/signatures/rego/k8s_service_account_token.rego
@@ -37,6 +37,6 @@ tracee_match {
     contains(pathname,"secrets/kubernetes.io/serviceaccount")
     endswith(pathname,"token")
 
-    process_names_allowlist := {"flanneld", "kube-proxy", "etcd", "kube-apiserver", "coredns", "kube-controller"}
+    process_names_allowlist := {"flanneld", "kube-proxy", "etcd", "kube-apiserver", "coredns", "kube-controller", "kubectl"}
     not process_names_allowlist[input.processName]
 }
diff --git a/signatures/rego/k8s_service_account_token_test.rego b/signatures/rego/k8s_service_account_token_test.rego
@@ -36,3 +36,22 @@ test_match_wrong_request {
         ]
     }
 }
+
+test_match_wrong_process_name {
+    not tracee_match with input as {
+        "processId": 1000,
+        "hostProcessId": 1,
+        "eventName": "security_file_open",
+        "processName":"kubectl",
+        "args": [
+            {
+                "name": "flags",
+                "value": "O_RDONLY"
+            },
+            {
+                "name": "pathname",
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token"
+            }
+        ]
+    }
+}