The rule 'Kubernetes Shell Running on Worker Node' is designed to detect unauthorized shell activity within a Kubernetes environment, focusing specifically on worker nodes. This detection leverages process metrics collected through an OpenTelemetry (OTEL) collector, monitoring the CPU and memory utilization of processes associated with common shell executable names such as 'sh', 'bash', 'csh', and 'tcsh'. The detection is significant as shell activity can signal a potential security threat, such as unauthorized access or command execution, that could lead to further security breaches including data theft or privilege escalation within the cluster. The rule queries metrics to identify when the CPU or memory usage of these shell processes exceeds zero, indicating active processes which may warrant further investigation. Proper implementation requires deploying the OTEL collector, configuring it for process monitoring, and integrating it with the Splunk Infrastructure Monitoring framework to facilitate seamless data collection and analysis. This provides security teams a critical alerting mechanism to detect and respond to potential compromises in Kubernetes environments.