Kubernetes resource created in service namespace
Description
AlphaSOC detected the creation of an unauthorized pod in the kube-system namespace. This namespace contains essential Kubernetes components for cluster operations. Creating pods in this namespace can give adversaries persistent access and elevated privileges, making them appear as legitimate system services.
Impact
Unauthorized pods in the kube-system namespace pose a significant security risk to cluster operations. Threat actors can exploit these pods to execute commands with elevated privileges, access sensitive configuration data, and establish long-term persistence.
Severity
| Severity | Condition |
|---|---|
Low | Kubernetes resource created in service namespace |
Investigation and Remediation
Review pod specifications, container images, and activity logs to determine if the creation was authorized. Look for suspicious network connections, file system access, or attempts at privilege escalation. Delete unauthorized pods and audit the security context of the remaining workloads. Review RBAC permissions and implement strict controls on the kube-system namespace.