Kubernetes user attached to pod
Description
AlphaSOC detected a user attachment to a running Kubernetes pod through direct container interaction. This access method bypasses standard deployment processes by establishing an interactive shell session with the container, which may indicate unauthorized access or legitimate administrative activity outside normal procedures.
Impact
Direct pod access allows users to execute commands, modify container contents, potentially pivot to other containers, and in some cases exploit vulnerabilities to escape to the host system. This access method circumvents deployment controls and audit logging mechanisms, and violates the principle of container immutability that is central to Kubernetes best practices.
Severity
| Severity | Condition |
|---|---|
Informational | Kubernetes user attached to pod |
Investigation and Remediation
Review authentication logs to identify the user and source IP address of the pod attachment. Compare this activity against authorized maintenance windows and approved administrator lists. Examine pod logs and file system changes that occurred during the interactive session to determine the actions taken. If unauthorized, terminate the sessions immediately and rotate any potentially exposed credentials. Implement preventative controls such as admission controllers or pod security policies to restrict direct pod access and enforce proper change management procedures.