This detection rule focuses on monitoring the creation or modification of Kubernetes pods that utilize the host PID namespace. Using the host PID namespace allows a pod and its containers to share the same view of processes as the host, which presents potential security risks, such as privilege escalation or escaping the pod's confines to access host resources. The rule is enabled and documented as an experimental capability aimed at providing visibility into such actions. Detailed logging and testing are set up for various Kubernetes environments including Amazon EKS, Azure AKS, and Google GKE. The documented runbook provides steps for further investigation after an alert is triggered, examining the context of the operations and the intent of the user responsible for the actions.