Event Information

Meaning

  • The Interpreted procs outbound network activity event in a Kubernetes cluster indicates that a process running within a container is making outbound network connections.
  • This event could be triggered when a containerized application is attempting to communicate with external services or resources over the network.
  • It is important to investigate this event to ensure that the outbound network activity is legitimate and compliant with the organization’s security policies and compliance standards.
To investigate further, you can use the following kubectl command: 
kubectl get pods --all-namespaces
This command will list all the pods running in the cluster, allowing you to identify the pod associated with the event.

Remediation

  1. Create a Kubernetes Deployment manifest file to deploy a Python script as a container:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: remediation-script
spec:
  replicas: 1
  selector:
    matchLabels:
      app: remediation-script
  template:
    metadata:
      labels:
        app: remediation-script
    spec:
      containers:
      - name: remediation-script
        image: python:3
        command: ["python", "-u"]
        args: ["remediation_script.py"]
        volumeMounts:
        - name: shared-data
          mountPath: /data
      volumes:
      - name: shared-data
        emptyDir: {}
  1. Create a Kubernetes Service manifest file to expose the deployment:
apiVersion: v1
kind: Service
metadata:
  name: remediation-script-service
spec:
  selector:
    app: remediation-script
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  1. Create a Python script named remediation_script.py that uses the Kubernetes Python API to perform the remediation actions:
import os
from kubernetes import client, config

# Load the in-cluster Kubernetes configuration
config.load_incluster_config()

# Create a Kubernetes API client
api_client = client.ApiClient()

# Perform the remediation actions here
# Example: Delete a Pod with a specific label
v1 = client.CoreV1Api(api_client)
v1.delete_collection_namespaced_pod(namespace="default", label_selector="app=malicious-pod")

# Clean up the remediation script Deployment and Service
os.system("kubectl delete deployment remediation-script")
os.system("kubectl delete service remediation-script-service")
Note: Replace app=malicious-pod with the appropriate label selector for the Pods exhibiting the “Interpreted procs outbound network activity” event.