Launch Suspicious Network Tool in Container

​

Event Information

​

Meaning

• The Launch Suspicious Network Tool in Container event indicates that a container within the Kubernetes cluster has attempted to launch a network tool that is considered suspicious or potentially malicious.
• This event could suggest that an attacker is attempting to gain unauthorized access or perform network reconnaissance within the cluster.
• It is important to investigate this event further to identify the container and take appropriate actions such as isolating the affected container, analyzing its contents, and patching any vulnerabilities that may have been exploited.

To investigate further, you can use the following kubectl commands:

1. List all running pods in the cluster: kubectl get pods -A
2. Describe the suspicious pod: kubectl describe pod <pod_name> -n <namespace>
3. Check the logs of the suspicious pod: kubectl logs <pod_name> -n <namespace>

​

Remediation

1. Identify the affected container:

   • Use the Kubernetes API to list all the pods in the cluster: kubectl get pods -o wide
   • Look for the pod that triggered the event and note its name.

2. Delete the suspicious network tool container:

   • Use the Kubernetes API to delete the container from the pod:

     from kubernetes import client, config
     
     # Load the Kubernetes configuration
     config.load_kube_config()
     
     # Create the Kubernetes API client
     api = client.CoreV1Api()
     
     # Specify the pod name and namespace
     pod_name = "<pod_name>"
     namespace = "<namespace>"
     
     # Get the pod object
     pod = api.read_namespaced_pod(name=pod_name, namespace=namespace)
     
     # Remove the suspicious network tool container from the pod
     containers = pod.spec.containers
     updated_containers = [c for c in containers if c.name != "<container_name>"]
     pod.spec.containers = updated_containers
     
     # Update the pod
     api.replace_namespaced_pod(name=pod_name, namespace=namespace, body=pod)
     

     Replace <pod_name>, <namespace>, and <container_name> with the actual values.

3. Verify the remediation:

   • Check the pod’s status to ensure that the suspicious network tool container is no longer running: kubectl describe pod <pod_name> -n <namespace>

   • Monitor the cluster for any further suspicious activity using appropriate security tools and policies.