Kubernetes Pod Created in Kube Namespace

kubernetes

Set up the kubernetes integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user is creating a pod in one of the Kubernetes default namespaces.

Strategy

This rule monitors when a create (@http.method:create) action occurs for a pod (@objectRef.resource:pods) within either of the kube-system or kube-public namespaces.

The only users creating pods in the kube-system namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the kube-system namespace.

The kube-public namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the kube-public namespace.

Triage and response

Determine if the user should be creating this new pod in one of the default namespaces.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 16 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: rtrieu/product-analytics-ui-changes