Event Information

Meaning

  • Indicates that an SSH connection attempt was made to a Kubernetes pod, which is a security risk as it bypasses the intended container orchestration mechanisms.
  • It could suggest a potential security breach or unauthorized access attempt within the cluster.
  • Immediate investigation and remediation are necessary to ensure compliance with security best practices and prevent further unauthorized access.
To investigate further:
  1. Check the specific pod and node where the SSH connection attempt was made: kubectl get pods --all-namespaces kubectl describe pod <pod_name> -n <namespace>
  2. Review the pod’s security context and network policies to identify any misconfigurations: kubectl get pod <pod_name> -n <namespace> -o yaml
  3. Monitor network traffic and access logs within the cluster to detect any other suspicious activities: kubectl logs <network_policy_controller_pod> -n kube-system

Remediation

  1. Restrict SSH Access:
    • Ensure that SSH access is not allowed to any of the pods within your cluster. If SSH is needed for debugging or maintenance, restrict it to specific nodes and use secure channels.
  2. Implement Network Policies:
    • Create or update Kubernetes Network Policies to restrict SSH traffic to only allowed sources or block non-standard ports.
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: deny-all
   namespace: <namespace>
spec:
   podSelector: {}
   policyTypes:
      - Ingress
   ingress: []
  3. Use Pod Security Standards:
    • Apply PodSecurityAdmission (PSA) policies to enforce security constraints on your pods, such as disallowing privilege escalation and requiring non-root users.
Note: Make sure to test the remediation steps in a non-production environment before applying them to production.