Skip to content

Update k8s_containers macro to allow more to contact k8s API server #323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mossroy wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update k8s_containers macro to allow more to contact k8s API server #323

mossroy wants to merge 2 commits into from
+6 −1

Conversation

@mossroy
Copy link

@mossroy mossroy commented Oct 24, 2025
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

This PR enhances the existing stable rule " Contact K8S API Server From Container" with a few adjustments:

  • grafana uses k8s-sidecar containers, that call the API server
  • snapshot-controller (from sig-storage) needs the API server
  • metallb needs the API server
  • velero/velero container can also be prefixed with docker.io/
  • nfs-subdir-external-provisioner (from sig-storage) needs the API server
  • prometheus containers use the API server as a target (with default configuration of kube-prometheus-stack helm chart)

There's another scenario that can trigger this rule with the kube-prometheus-stack helm chart. Depending on your values.yaml, it can run a job that deploys the CRDs. This job uses a container based on registry.k8s.io/kubectl image with command kubectl apply --server-side --filename /tmp/crds.yaml, that triggers this rule. However, I did not find a clean and generic way to implement an exception for it

@mossroy
Update k8s_containers macro to allow more containers to contact k8s A…
2166289 
…PI Server

Signed-off-by: Mossroy <mossroy@mossroy.fr>
@poiana poiana added kind/feature New feature or request dco-signoff: yes area/rules area/maturity-stable See the Rules Maturity Framework labels Oct 24, 2025
@poiana poiana requested review from Kaizhe and darryk10 October 24, 2025 19:04
@poiana
Copy link

poiana commented Oct 24, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mossroy
Once this PR has been reviewed and has the lgtm label, please assign loresuso for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana
Copy link

poiana commented Oct 24, 2025

Welcome @mossroy! It looks like this is your first PR to falcosecurity/rules 🎉

@poiana poiana added the size/XS label Oct 24, 2025
@mossroy mossroy mentioned this pull request Oct 24, 2025
Closed
@mossroy
Allow metallb to contact k8s api server, too
04dab2a 
Signed-off-by: Mossroy <mossroy@mossroy.fr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darryk10 darryk10 Awaiting requested review from darryk10

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/maturity-stable See the Rules Maturity Framework area/rules dco-signoff: yes kind/feature New feature or request size/XS

Projects

Falco Roadmap
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mossroy @poiana