Kubernetes privileged pod created
Description
AlphaSOC detected the creation of a Kubernetes pod with privileged access enabled. Privileged pods run with elevated capabilities, allowing them to access resources similar to processes running on the host system. This configuration bypasses standard pod isolation mechanisms and security boundaries that typically constrain container workloads.
Impact
Privileged pods have direct access to host resources, can modify system settings, and interact with hardware devices. Malicious actors who compromise privileged pods can potentially escape container boundaries and execute commands on the host system. This elevated access may allow them to access sensitive data on the node, move laterally through the cluster, and establish persistence by making node-level modifications.
Severity
| Severity | Condition |
|---|---|
Low | Kubernetes privileged pod created |
Investigation and Remediation
Review Kubernetes audit logs to identify who created the pod and examine pod specifications to determine if privileged access is necessary for the workload's requirements. Remove any unauthorized privileged pods and inspect host system logs for suspicious activity. Implement Pod Security Standards to restrict the creation of privileged pods. Deploy admission controllers such as OPA Gatekeeper to enforce security policies across your cluster. Configure RBAC policies to limit which users and service accounts can create privileged pods.
Known False Positives
- Security and monitoring tools that require system-level access for scanning
- System maintenance pods that need privileged access for node operations