Custom Resources

FalcoAuditRules

Scope: Cluster
Version: v1alpha1

• spec

  object
  • spec.requiredEngineVersion

    integer

    Used to ensure compatibility between the rules content and the Falco engine version.
  • spec.requiredK8sAuditPluginVersion

    string

    Used to ensure compatibility between the rules content and plugin versions.
  • spec.rules

    array of objects

    Required value

    Describes the Falco rules that will be applied to monitor the cluster runtime.

    These rules help detect threats at runtime by observing the behavior of your applications and containers.

    Refer to the Falco documentation and reference for more details.

    Minimal length: 1

    • spec.rules.list

      object

      Collections of items that can be included in rules, macros, or other lists.

      Unlike rules and macros, lists cannot be parsed as filtering expressions.

      • spec.rules.list.items

        array

        Required value

        A list of values.
      • spec.rules.list.name

        string

        Required value

        A unique name for the list (as a slug).
    • spec.rules.macro

      object

      Rule condition snippets that can be re-used inside other rules and even macros.

      Macros provide a way to name common patterns and eliminate redundancies in the rules.

      • spec.rules.macro.condition

        string

        Required value

        A filtering expression that is applied to events to check whether they match the rule.
      • spec.rules.macro.name

        string

        Required value

        A short, unique name for the macro.
    • spec.rules.rule

      object

      Defines the conditions under which an alert is to be generated.

      The rule is accompanied by a descriptive output string that is sent with an alert.

      • spec.rules.rule.condition

        string

        Required value

        A filtering expression that is applied to events to check whether they match the rule.
      • spec.rules.rule.desc

        string

        Required value

        A detailed description of what the rule detects.
      • spec.rules.rule.enabled

        boolean

        If set to false, a rule is neither loaded nor matched against any events.

        Default: true

      • spec.rules.rule.name

        string

        Required value

        A short, unique name for the rule.
      • spec.rules.rule.output

        string

        Required value

        A message to output if a matching event occurs.
      • spec.rules.rule.priority

        string

        Required value

        A severity of the event.

        Allowed values: Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug

      • spec.rules.rule.source

        string

        The event source for which this rule is to be evaluated.

        Default: Syscall

        Allowed values: Syscall, K8sAudit

      • spec.rules.rule.tags

        array of strings

        A list of tags applied to the rule.