add context tag to rules

[YakirOren]

Summary by CodeRabbit

Release Notes

• Documentation
  • Added Kubernetes context tags to 25 security detection rules, improving rule organization and enabling environment-specific filtering.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

A single metadata tag context:kubernetes is added to the tags array in 26 rule YAML files across the core and advanced detection rule sets, providing Kubernetes-specific context classification without altering rule logic or evaluation behavior.

Changes

Cohort / File(s)	Summary
Core Detection Rules (R0001-R0011) pkg/rules/r0001-unexpected-process-launched/...yaml, pkg/rules/r0002-unexpected-file-access/...yaml, pkg/rules/r0003-unexpected-system-call/...yaml, pkg/rules/r0004-unexpected-capability-used/...yaml, pkg/rules/r0005-unexpected-domain-request/...yaml, pkg/rules/r0006-unexpected-service-account-token-access/...yaml, pkg/rules/r0007-kubernetes-client-executed/...yaml, pkg/rules/r0008-read-environment-variables-procfs/...yaml, pkg/rules/r0009-ebpf-program-load/...yaml, pkg/rules/r0010-unexpected-sensitive-file-access/...yaml, pkg/rules/r0011-unexpected-egress-network-traffic/...yaml	Added "context:kubernetes" tag to spec.rules[0].tags metadata in each rule
Advanced Detection Rules (R1000-R1030) pkg/rules/r1000-exec-from-malicious-source/...yaml, pkg/rules/r1001-exec-binary-not-in-base-image/...yaml, pkg/rules/r1002-kernel-module-load/...yaml, pkg/rules/r1003-malicious-ssh-connection/...yaml, pkg/rules/r1004-exec-from-mount/...yaml, pkg/rules/r1005-fileless-execution/...yaml, pkg/rules/r1006-unshare-syscall/...yaml, pkg/rules/r1007-xmr-crypto-mining/...yaml, pkg/rules/r1008-crypto-mining-domain-communication/...yaml, pkg/rules/r1009-crypto-mining-related-port/...yaml, pkg/rules/r1010-symlink-created-over-sensitive-file/...yaml, pkg/rules/r1011-ld-preload-hook/...yaml, pkg/rules/r1012-hardlink-created-over-sensitive-file/...yaml, pkg/rules/r1015-malicious-ptrace-usage/...yaml, pkg/rules/r1030-unexpected-io_uring-operation/...yaml	Added "context:kubernetes" tag to spec.rules[0].tags metadata in each rule

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A whisker-twitch of tags, so fine,
Kubernetes now marks each line,
Context clear, the rules take flight,
Twenty-six rules shine in light! ✨

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}