Kubernetes Client Tool Launched in Container

​

Event Information

​

Meaning

• Indicates that a Kubernetes client tool was launched inside a container within the cluster, which could potentially be a security concern.
• It is important to investigate the source and purpose of this tool to ensure it complies with security policies and standards.
• To further analyze this event, you can use kubectl to inspect the pod where the tool was launched:

  kubectl describe pod <pod_name>
  

​

Remediation

• Create a Kubernetes Pod manifest file with a Python container that includes the necessary Python Kubernetes API library.
• Use a Kubernetes ServiceAccount with appropriate RBAC permissions to interact with the Kubernetes API.kubectl get pod <pod_name> -n <namespace> -o jsonpath="{.spec.serviceAccountName}"
• List the RBAC roles bound to the service account to ensure no unauthorized access is possible: kubectl get rolebinding,clusterrolebinding -A --field-selector metadata.name=<service-account>
• Modify the container’s security context to prevent unauthorized execution of administrative commands:

  securityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
  

• Implement network policies to restrict access to the Kubernetes API server from containers that do not need it.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-api-server-access
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.1/32  # Replace with your API server IP
      ports:
        - protocol: TCP
          port: 443

• Write a Python script that uses the Kubernetes API to list and delete the offending Pod(s) based on the event criteria.

apiVersion: v1
kind: Pod
metadata:
  name: remediation-pod
spec:
  containers:
  - name: remediation-container
    image: python:latest
    command: ["python", "-c"]
    args:
    - |
      # Python script using Kubernetes API to list and delete Pods

kubectl apply -f remediation-pod.yaml
kubectl exec -it remediation-pod -- /bin/bash
# Execute the Python script inside the container
kubectl delete pod remediation-pod