Update falco-incubating_rules.yaml

Signed-off-by: Kapil Sharma <[email protected]>

rules/falco-incubating_rules.yaml

@@ -572,10 +572,10 @@
 
 - macro: allowed_openshift_registry_root
   condition: >
-    (container.image.repository startswith openshift3/ or
-     container.image.repository startswith registry.redhat.io/openshift3/ or
+    (container.image.repository startswith "openshift3/"" or
+     container.image.repository startswith "registry.redhat.io/openshift3/" or
      container.image.repository startswith
-     registry.access.redhat.com/openshift3/)
+     "registry.access.redhat.com/openshift3/")
 
 # Source:
 # https://docs.openshift.com/enterprise/3.2/install_config/install/
@@ -1386,21 +1386,21 @@
 
 - macro: known_gke_mount_in_privileged_containers
   condition:
-    (k8s.ns.name = kube-system
+    (k8s.ns.name = "kube-system"
     and
-    container.image.repository = gke.gcr.io/
-    gcp-compute-persistent-disk-csi-driver)
+    container.image.repository = "gke.gcr.io/" \
+    "gcp-compute-persistent-disk-csi-driver")
 
 - macro: known_aks_mount_in_privileged_containers
   condition:
     (
-      (k8s.ns.name = kube-system and container.image.repository in
-       (mcr.microsoft.com/oss/kubernetes-csi/azuredisk-csi,
-       mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi)
+      (k8s.ns.name = "kube-system" and container.image.repository in
+       ("mcr.microsoft.com/oss/kubernetes-csi/azuredisk-csi",
+        "mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi")
       )
     or
-    (k8s.ns.name = system and container.image.repository =
-     mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver))
+    (k8s.ns.name = "system" and container.image.repository =
+     "mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver"))
 
 - macro: user_known_mount_in_privileged_containers
   condition: (never_true)