This rule detects non-system identities using the Kubernetes API server's nodes/proxy subresource to proxy requests directly to a worker node's Kubelet. The nodes/proxy path allows any principal with nodes/proxy RBAC permission to reach the Kubelet API on a node without direct network access or Kubelet TLS certificates. An attacker could list pod specifications (including environment variable secrets), read Kubelet configuration and PKI material, retrieve container logs, and access running pod metadata across workloads on the target node. The rule excludes common observability endpoints (e.g., /metrics, /healthz, /stats) to reduce noise from legitimate tooling. It is implemented as a Kuery query over Kubernetes audit logs (logs-kubernetes.audit_logs-*) and filters for audit events where objectRef.subresource is