Linux Kernel Module Injection Detected

​

Event Information

​

Meaning

• The Linux Kernel Module Injection Detected event in a Kubernetes cluster indicates that an unauthorized or malicious kernel module has been injected into the system.
• This event could potentially compromise the security and stability of the cluster, as the injected module can perform unauthorized actions or provide unauthorized access to the system.
• It is crucial to investigate and remediate this event promptly to ensure the integrity and compliance of the Kubernetes cluster.

To investigate and remediate this event, you can:

• Use the kubectl get pods command to identify the affected pod(s) and their corresponding nodes.
• Use the kubectl describe pod <pod_name> command to gather more information about the pod, such as the image being used and any suspicious activities.
• If necessary, delete and recreate the affected pod(s) using the kubectl delete pod <pod_name> and kubectl create -f <pod_manifest.yaml> commands, respectively.

​

Remediation

1. Identify the affected pod(s) by checking the podName field in the event.

   • Use the Kubernetes API to get the pod details: kubectl get pod <podName> -o yaml
   • Note down the namespace and labels of the affected pod.

2. Create a Kubernetes manifest file to delete the affected pod(s) and prevent further injection:

   • Create a YAML file (e.g., remediation.yaml) with the following content:

     apiVersion: v1
     kind: Pod
     metadata:
       namespace: <namespace>
       labels:
         <labels>
     spec:
       restartPolicy: Never
       containers:
       - name: remediation-container
         image: alpine:latest
         command: ["sh", "-c", "sleep 10"]
     

   • Replace <namespace> with the namespace of the affected pod(s).
   • Replace <labels> with the labels of the affected pod(s).
   • This manifest creates a temporary pod that sleeps for 10 seconds and then terminates. This will effectively delete the affected pod(s) and prevent further injection.

3. Apply the remediation manifest to the cluster:

   • Use the Kubernetes API to apply the remediation manifest: kubectl apply -f remediation.yaml

   • Verify that the remediation pod is created and completes successfully: kubectl get pod -l=app=remediation-container

   • Monitor the cluster to ensure that the affected pod(s) are deleted and no new injection occurs: kubectl get pod -n <namespace>