This detection rule identifies unauthorized access to the Kubelet certificate file within a container, which is critical for authenticating to the Kubernetes API. The Kubelet certificate file is often targeted by adversaries seeking to exploit cluster vulnerabilities. This rule works by monitoring operations where interactive processes in Linux containers attempt to open files in the kubelet's PKI directory. The potential impact of gaining access to these credentials includes unauthorized cluster access, data exfiltration, and further attacks on Kubernetes resources. Users must validate whether file access was appropriate based on the operational context and investigate any anomalies, as the detection can trigger false positives in legitimate operations. Recommended investigation steps include examining user activities leading up to the alert, correlating subsequent API calls from the same workload, and validating log records for malicious actions. Remediation steps stress the importance of immediate isolation of impacted workloads, rotation of kubelet credentials, and systemic changes to permissions to prevent future incidents.