Rule not working: Create/Modify Configmap With Private Credentials

[yinynick]

Rule - Create/Modify Configmap With Private Credentials seems not working by default following https://falco.org/docs/event-sources/kubernetes-audit/ on version 0.22.1.

Other k8s audit rules would flag without problems.

Command in use to create configmap:
kubectl create -f configmap.yaml

Audit log output:
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "RequestResponse",
"auditID": "59a27ad6-5164-46a9-8c63-0a71bcc2ed8e",
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/default/configmaps",
"verb": "create",
"user": {
"username": "kubernetes-admin",
"groups": [
"system:masters",
"system:authenticated"
]
},
"sourceIPs": [
"10.211.55.12"
],
"userAgent": "kubectl/v1.18.2 (linux/amd64) kubernetes/52c56ce",
"objectRef": {
"resource": "configmaps",
"namespace": "default",
"name": "my-config1",
"apiVersion": "v1"
},
"responseStatus": {
"metadata": {},
"code": 201
},
"requestObject": {
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "my-config1",
"namespace": "default",
"creationTimestamp": null
},
"data": {
"access.properties": "aws_access_key_id = MY-ID\naws_secret_access_key = MY-KEY\npassword = NICK\n"
}
},
"responseObject": {
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "my-config1",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/configmaps/my-config1",
"uid": "66cd8571-fa16-40fb-b485-293e6c2d4d61",
"resourceVersion": "219832",
"creationTimestamp": "2020-05-05T07:17:06Z",
"managedFields": [
{
"manager": "kubectl",
"operation": "Update",
"apiVersion": "v1",
"time": "2020-05-05T07:17:06Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:access.properties": {}
}
}
}
]
},
"data": {
"access.properties": "aws_access_key_id = MY-ID\naws_secret_access_key = MY-KEY\npassword = NICK\n"
}
},
"requestReceivedTimestamp": "2020-05-05T07:17:06.458299Z",
"stageTimestamp": "2020-05-05T07:17:06.461035Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
}

[yinynick]

Update: this rule is not working when the "user" is not in allowed_k8s_users, in my case "kubernetes-admin".

Are below known and correct behaviour?

1. When user "kubernetes-admin" is not in list allowed_k8s_users:

kubectl delete configmap
kubectl create configmap config --from-file=configmap

Alerts flagged:
May 5 15:57:18 k8s-controlplane1 falco: 15:57:04.389830912: Warning K8s Operation performed by user not in allowed list of users (user=kubernetes-admin target=nickconfig/configmaps verb=create uri=/api/v1/namespaces/default/configmaps resp=201)
May 5 15:57:18 k8s-controlplane1 falco: 15:56:59.000089088: Warning K8s Operation performed by user not in allowed list of users (user=kubernetes-admin target=nickconfig/configmaps verb=delete uri=/api/v1/namespaces/default/configmaps/nickconfig resp=200)

2. When user "kubernetes-admin" is in list allowed_k8s_users:

kubectl delete configmap
kubectl create configmap config --from-file=configmap

Alers flagged:
May 5 15:59:18 k8s-controlplane1 falco: 15:59:17.949396992: Notice K8s ConfigMap Deleted (user=kubernetes-admin configmap=nickconfig ns=default resp=200 decision=allow reason=)
May 5 15:59:48 k8s-controlplane1 falco: 15:59:22.695921920: Warning K8s configmap with private credential (user=kubernetes-admin verb=create configmap=nickconfig config={"test-config1":"apiVersion: v1\ndata:\n access.properties: |\n aws_access_key_id = MY-ID\n aws_secret_access_key = MY-KEY\n password = NICK\nkind: ConfigMap\nmetadata:\n name: my-config1\n namespace: default\n"})

[bzurkowski]

@yinynick I had the exact same issue with Create/Modify Configmap With Private Credentials rule. Solved it by adding kubernetes-admin to the list of allowed users.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[leogr]

Please, keep open.

I have had the same issue.