Falco k8s, when add an exception, some fields become null

Asked Apr 11 '22 at 09:01

Active Apr 11 '22 at 09:59

Viewed 164 times

If I add an exception to the rule 'The docker client is executed in a container' like:

exceptions:
  - name: kube_mon
    fields: [container.image.repository, k8s.ns.name, k8s.pod.name]
    comps: [=, =, startswith]
    values:
      - [repo/myimg, myns, my-pod-]

I start receiving Warnings where the mentioned fields are null (instead of not receiving them at all) : screen: [1]: https://i.stack.imgur.com/1RTiJ.png

Same exceptions added to the rule 'Contact K8S API Server From Container' works ok and my pods are filtered out from logging.
How can I solve it?
Thanks.
Falco 0.31.1 Chart falco-1.17.4

edited Apr 11 '22 at 09:59

asked Apr 11 '22 at 09:01

OlehR

Are you still facing this issue? If so, you could ask in the falco channel in the Kubernetes slack or open an issue on GitHub – trallnag Jan 20 '23 at 22:26
1

@trallnag I dont know because I moved to another project. Probably its solved in more recent version. thanks for your suggestion. – OlehR Jan 23 '23 at 09:49

Falco k8s, when add an exception, some fields become null

0 Answers0