Launch Ingress Remote File Copy Tools in Container

​

Event Information

​

Meaning

• The Launch Ingress Remote File Copy Tools in Container event indicates that a process within a container is attempting to copy files remotely using ingress functionality.
• This event could potentially be a security concern as it may indicate unauthorized access or data exfiltration from the container.
• To investigate this event, you can use the following kubectl command to check the logs of the container: kubectl logs <pod_name> -c <container_name>. This will help you identify the source and destination of the file copy operation.

​

Remediation

To remediate the event “Launch Ingress Remote File Copy Tools in Container” using the Python Kubernetes API, you can follow these steps:

1. Identify the affected container:

   • Use the Kubernetes API to list all the pods in the cluster: kubectl get pods -o wide
   • Look for the pod that triggered the event and note down its name and namespace.

2. Delete the affected pod:

   • Use the Python Kubernetes API to delete the pod identified in the previous step.
   • Example code snippet:

     from kubernetes import client, config
     
     # Load the Kubernetes configuration
     config.load_kube_config()
     
     # Create the Kubernetes API client
     api = client.CoreV1Api()
     
     # Delete the pod
     api.delete_namespaced_pod(name="pod-name", namespace="pod-namespace")
     

3. Investigate and mitigate the root cause:

   • Analyze the pod’s YAML manifest to identify how the ingress remote file copy tools were launched.
   • Update the pod’s manifest to remove any unauthorized or suspicious containers or commands.
   • Apply the updated manifest to the cluster using the kubectl apply command.

Please note that the above steps assume you have the necessary permissions to delete pods and modify pod manifests in the cluster. Make sure to test the remediation script in a non-production environment before applying it to a production cluster.