heroui logo

GKE Pod Created with a Sensitive hostPath Volume

Elastic Detection Rules

View Source
Summary
Detects GKE pod creation, update, or patch events that mount sensitive hostPath volumes (e.g., root filesystem, kubelet paths, or container runtime sockets). This can enable container escape and credential theft. The rule analyzes GCP audit logs (gcp.audit) for pod lifecycle actions (io.k8s.core.v1.pods.create/update/patch) and flags mounts to sensitive host paths such as /, /proc, /root, /var, various /var/run sockets, and kubelet directories. It excludes system identities and controller-owned workloads by filtering out ownerReferences kinds like ReplicaSet, DaemonSet, and StatefulSet to reduce noise. The detection aligns with MITRE techniques T1611 (Escape to Host) and T1610 (Deploy Container), highlighting both privilege escalation and execution risks. Triage steps include inspecting gcp.audit.request.spec.volumes.hostPath.path, confirming whether the hostPath mount is necessary for the workload, and reviewing user.email, namespace, and any follow-on secret or exec activity. False positives commonly arise from Node agents and observability DaemonSets mounting host paths; maintain noise reduction by validating against known legitimate agents and adding image exclusions if needed. Setup requires enabling the GCP Fleet integration with GKE audit logs to ensure compatibility with the rule.
Categories
  • Cloud
  • Kubernetes
  • Containers
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1611
  • T1610
Created: 2026-06-30