Skip to main content

New K8s Pod

This alert occurs when Lacework detects a new pod was created within a Kubernetes cluster.

Why this alert is important

A pod is the smallest deployable unit in Kubernetes, representing a single instance of a running process in a cluster. When a new pod is created, it is assigned a unique IP address and can be scheduled to run on any node in the cluster.

A pod creation can be significant because it represents a new potential attack surface in the Kubernetes environment. If a malicious actor can create and deploy a new pod, they may be able to launch further attacks against the cluster or the applications running on it.

Investigation

When investigating a newly created K8s pod, there are several steps you can take to gather more information and assess the potential security implications, including:

  1. Check the source of the pod creation by reviewing logs from your Kubernetes cluster or your security monitoring tools to identify the source of the incident.
  2. Review pod configuration details, including the pod's name, labels, container image, and associated services or endpoints.
  3. Look for any signs of suspicious activity associated with the new pod. This may include unusual network activity, unexpected resource utilization, or attempts to connect to external hosts.
  4. Check the access controls for the new pod to ensure that only authorized users or services have access to it. This may involve reviewing Kubernetes RBAC policies, network policies, and other security configurations.
  5. Review any dependencies associated with the new pod, such as storage volumes or other resources. Look for any potential vulnerabilities or misconfigurations that attackers could exploit.
  6. Assess the potential impact of the new pod on your Kubernetes environment and applications. Determine whether the pod is running in a critical part of your infrastructure and whether it poses a significant security risk.

Resolution

If you have determined that a new K8s pod is malicious, immediately isolate and remove it from your Kubernetes environment. You can do this by using the kubectl delete pod command or by editing the YAML file for the pod and setting the desired number of replicas to zero.

After that, follow these steps to resolve the alert:

  1. Check the access controls for the pod to ensure that only authorized users or services have access to it. This may involve reviewing Kubernetes RBAC policies, network policies, and other security configurations.
  2. Remove any associated resources that may have been created by the malicious pod, such as storage volumes or other resources.
  3. Harden your security to prevent similar attacks from occurring in the future. This may involve implementing stricter access controls, using network segmentation, and regularly reviewing your security configurations.
  4. Monitor your Kubernetes environment for any signs of malicious activity. Use security monitoring tools to identify and respond to threats in real-time.