From b2e01269cf9eb0b7b7e5bbacabdae7f94292243a Mon Sep 17 00:00:00 2001
From: GLVS Kiriti <glvskiriti2003369@gmail.com>
Date: Thu, 21 Mar 2024 00:32:41 +0530
Subject: [PATCH 1/2] Added an event for default rule kubernetes client tool
 launched in container

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
---
 ...netes_client_tool_launched_in_container.go | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 events/syscall/kubernetes_client_tool_launched_in_container.go

diff --git a/events/syscall/kubernetes_client_tool_launched_in_container.go b/events/syscall/kubernetes_client_tool_launched_in_container.go
new file mode 100644
index 00000000..d6e16a26
--- /dev/null
+++ b/events/syscall/kubernetes_client_tool_launched_in_container.go
@@ -0,0 +1,37 @@
+//go:build linux
+// +build linux
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+	"os/exec"
+
+	"github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+	kubernetesClientToolLaunchedInContainer,
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+)
+
+func kubernetesClientToolLaunchedInContainer(h events.Helper) error {
+	if h.InContainer() {
+		cmd := exec.Command("kubectl")
+		return cmd.Run()
+	}
+	return nil
+}

From 8b98289f09e37e29b1f07e326c4d6440269d8065 Mon Sep 17 00:00:00 2001
From: GLVS Kiriti <glvskiriti2003369@gmail.com>
Date: Sat, 30 Mar 2024 10:03:48 +0530
Subject: [PATCH 2/2] Fix: First look whether kubectl exists or not

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
---
 .../kubernetes_client_tool_launched_in_container.go      | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/events/syscall/kubernetes_client_tool_launched_in_container.go b/events/syscall/kubernetes_client_tool_launched_in_container.go
index d6e16a26..dc31c993 100644
--- a/events/syscall/kubernetes_client_tool_launched_in_container.go
+++ b/events/syscall/kubernetes_client_tool_launched_in_container.go
@@ -30,7 +30,14 @@ var _ = events.Register(
 
 func kubernetesClientToolLaunchedInContainer(h events.Helper) error {
 	if h.InContainer() {
-		cmd := exec.Command("kubectl")
+		kubectl, err := exec.LookPath("kubectl")
+		if err != nil {
+			h.Log().Warnf("kubectl is needed to launch this action")
+			return err
+		}
+
+		cmd := exec.Command(kubectl)
+		h.Log().Infof("Kubernetes Client Tool Launched In Container")
 		return cmd.Run()
 	}
 	return nil