Detects egress network connections from Linux hosts to the Kubernetes Kubelet API ports 10250/10255 on internal IP ranges. The detection targets processes that are commonly used to fetch or execute remote commands (curl, wget, python, node, etc.) and that originate from world-writable or ephemeral directories such as /tmp, /var/tmp, /dev/shm, and /var/run. The rule is designed to flag potential container/cluster lateral movement where an attacker may enumerate pods, retrieve logs, or execute commands via the Kubelet API. It models suspicious activity as an egress connection to a Kubelet endpoint from a non-pod context, with emphasis on non-standard or rare process paths, interpreters, and downloaders. False positives include legitimate node health checks, in-cluster agents, and troubleshooting sessions that legitimately access the Kubelet. The rule maps to MITRE ATT&CK techniques such as T1021 (Remote Services) for lateral movement and T1613 (Container and Resource Discovery), triggering under TA0008 (Lateral Movement) and TA0007 (Discovery). Operationally, the rule relies on network telemetry (destination IP/port, direction) and process telemetry (process.name, executable, and path) to correlate activity. The recommended response includes restricting 10250/10255 access with network policies, rotating exposed Kubernetes credentials, and investigating for follow-on cluster discovery or command execution. The rule is intended for Elastic Defend/Auditd Manager deployments and is annotated with setup guidance for emitting network connections and validating destination and process context. The detection is labeled with a medium risk score and includes references to Kubernetes kubelet documentation and MITRE technique details to aid analyst investigation and remediation efforts.