Container drift detected (open+create)

​

Event Information

​

Meaning

• The Container Drift Detected (open+create) event in a Kubernetes cluster indicates that a container within a pod has modified or created a file outside of its designated file system.
• This event could be a potential security risk as it may indicate unauthorized access or tampering with the host system.
• To investigate this event, you can use the following steps:
  1. Identify the pod and container involved in the event using the kubectl describe events <event_id> command.
  2. Inspect the container’s configuration and security policies to ensure that it aligns with the desired state.
  3. Review the container’s logs and file system to identify any suspicious activities or unauthorized modifications.

​

Remediation

1. Retrieve the details of the affected pod:
   • Use the Kubernetes API to get the pod’s information based on the provided metadata (e.g., namespace, pod name).
   • You can use the kubernetes.client library in Python to interact with the Kubernetes API.
   • Use the v1.CoreV1Api().read_namespaced_pod() method to retrieve the pod details.
2. Update the pod’s manifest file:
   • Extract the pod’s manifest file from the retrieved pod details.
   • Modify the manifest file to fix the container drift issue.
   • Ensure that the updated manifest file complies with the correct format of Kubernetes manifest files.
   • You can use the yaml library in Python to parse and modify the manifest file.
3. Apply the updated manifest file:
   • Use the Kubernetes API to apply the updated manifest file to the cluster.
   • You can use the v1beta1.AppsV1Api().replace_namespaced_deployment() method to apply the changes to the pod.
   • Make sure to specify the correct namespace and pod name in the method call.