Kubernetes Pod Created in Kube Namespace

Set up the kubernetes integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user is creating a pod in one of the Kubernetes default namespaces.

Strategy

This rule monitors when a create (@http.method:create) action occurs for a pod (@objectRef.resource:pods) within either of the kube-system or kube-public namespaces.

The only users creating pods in the kube-system namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the kube-system namespace.

The kube-public namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the kube-public namespace.

Triage and response

Determine if the user should be creating this new pod in one of the default namespaces.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 16 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: safchain/fix-custom-agent