Directory traversal monitored file read

​

Event Information

​

Meaning

• The Directory traversal monitored file read event in a Kubernetes cluster indicates that a process within a container is attempting to read a file outside of its designated directory.
• This event could potentially indicate a security vulnerability or an attempt to access sensitive files or system resources.
• To investigate this event, you can use kubectl to check the logs of the affected container and analyze the file paths being accessed. Additionally, you can review the container’s security context and ensure that appropriate file system restrictions are in place.

​

Remediation

To remediate the event of Directory traversal monitored file read using Python Kubernetes API, you can follow these steps:

1. Identify the affected pod:

   • Use the event details to determine the pod name or namespace where the event occurred.
   • Run the following command to get the pod details:

     kubectl get pods -n <namespace>
     

2. Update the pod’s security context:

   • Edit the pod’s YAML manifest file using the following command:

     kubectl edit pod <pod-name> -n <namespace>
     

   • Add or modify the securityContext section to restrict the pod’s access to the host filesystem. For example:

     spec:
       securityContext:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
     

3. Apply the changes:

   • Save the changes to the manifest file and exit the editor.
   • Verify that the changes have been applied by running the following command:

     kubectl describe pod <pod-name> -n <namespace>
     

Note: The above steps assume that you have the necessary permissions to edit the pod’s manifest file and apply changes to the cluster.