The “Run shell untrusted” event in a Kubernetes cluster indicates that a shell command was executed within a container running in the cluster, and it was flagged as untrusted.
This event typically occurs when a user or process attempts to run a shell command that is not allowed or violates the security policies defined for the cluster.
It is important to investigate this event further to determine the source of the command and assess whether it poses a security risk or violates any compliance standards.
To investigate further, you can:
Use the kubectl get pods command to identify the pod in which the event occurred.
Use the kubectl logs <pod-name> command to view the logs of the container and look for any suspicious or unauthorized shell commands.
Review the security policies and access controls in place to ensure that only trusted and authorized commands are allowed to be executed within the cluster.
Use Security Context Constraints (SCC) or Pod Security Policies (PSP) Alternatives.
Since PodSecurityPolicy is deprecated, consider using alternative solutions like Kubernetes PodSecurityAdmission or OPA/Gatekeeper to enforce security policies.
Kubernetes PodSecurityAdmission (PSA) provides a built-in way to enforce security policies. Here’s an example of how to enforce security controls using PSA:
Implement OPA/Gatekeeper Policies Open Policy Agent (OPA) and Gatekeeper can be used to enforce custom policies. For example, you can create a policy that restricts the execution of untrusted shell commands: