Event Information

Meaning

  • The “Run shell untrusted” event in a Kubernetes cluster indicates that a shell command was executed within a container running in the cluster, and it was flagged as untrusted.
  • This event typically occurs when a user or process attempts to run a shell command that is not allowed or violates the security policies defined for the cluster.
  • It is important to investigate this event further to determine the source of the command and assess whether it poses a security risk or violates any compliance standards.

To investigate further, you can:

  • Use the kubectl get pods command to identify the pod in which the event occurred.
  • Use the kubectl logs <pod-name> command to view the logs of the container and look for any suspicious or unauthorized shell commands.
  • Review the security policies and access controls in place to ensure that only trusted and authorized commands are allowed to be executed within the cluster.

Remediation

  1. Create a Kubernetes Deployment manifest file with the necessary specifications for running a Python script:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: remediation-script
spec:
  replicas: 1
  selector:
    matchLabels:
      app: remediation-script
  template:
    metadata:
      labels:
        app: remediation-script
    spec:
      containers:
      - name: remediation-script
        image: python:3.9
        command: ["python", "-c"]
        args: ["print('Remediation script executed successfully!')"]
  1. Apply the Deployment manifest using the kubectl apply command:
kubectl apply -f deployment.yaml
  1. Verify that the Deployment is running and the remediation script has executed successfully:
kubectl get pods
kubectl logs <pod-name>

Note: Replace <pod-name> with the actual name of the pod created by the Deployment.