1. Overview

Exploiting weaknesses in the container orchestrator to manipulate cluster settings is known as a Kubernetes attack. This incident indicates attempts to directly access Kubernetes infrastructure from within a running container. This may be an attempt to compromise the orchestrator.

Actions that can trigger this incident include attempts to download and use Kubernetes administrative tools within a container, in addition to any attempts to access Kubernetes metadata.

To detect Kubernetes attacks, you must have a runtime rule with the Detect Kubernetes attacks option enabled.

2. Investigation

The first step in an investigation is to validate that the changes represent a bona fide security incident. Having determined that this is a bona fide incident, then the next steps focus on determining how an attacker would have gained access to the resources with access to the Kubernetes cluster. Also, it is important to restrict access to your cluster by following best practices regarding access control.

Review your Kubernetes cluster to ensure that no actions were taken to compromise your cluster. In addition, closely review the audit actions and the forensic data available through incident explorer to understand the scope of the incident.

3. Mitigation

A full mitigation strategy for this incident begins with resolving the issues that allowed the attacker to attempt to access the Kubernetes infrastructure.

For additional protection, customize your runtime rules to prevent or block actions that access the metadata services or the open local kubelet port. Compliance rules should include checks set to alert or block to ensure your containers and hosts are following the best practices for Kubernetes.