Event Information

Meaning

  • The Disallowed SSH Connection Non Standard Port event in a Kubernetes cluster indicates that an attempt was made to establish an SSH connection using a non-standard port.
  • This event suggests a potential security risk as SSH connections on non-standard ports are often used to evade detection or exploit vulnerabilities.
  • To investigate this event, you can use kubectl to check the logs of the relevant pod or container to gather more information about the attempted SSH connection. For example, you can use the following command: kubectl logs <pod-name> -c <container-name>.

Remediation

  1. Restrict SSH Access:

    • Ensure that SSH access is not allowed to any of the pods within your cluster. If SSH is needed for debugging or maintenance, restrict it to specific nodes and use secure channels.

  2. Implement Network Policies:

    • Create or update Kubernetes Network Policies to restrict SSH traffic to only allowed sources or block non-standard ports.
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: deny-all
   namespace: <namespace>
spec:
   podSelector: {}
   policyTypes:
      - Ingress
   ingress: []

  3. Use Pod Security Standards:

    • Apply PodSecurityAdmission (PSA) policies to enforce security constraints on your pods, such as disallowing privilege escalation and requiring non-root users.

Note: Make sure to test the remediation steps in a non-production environment before applying them to production.