Detects potential direct Kubelet API access attempts on Linux by inspecting process executions whose arguments contain URLs targeting Kubelet ports (10250/10255). The rule focuses on process.start events on Linux where commands like curl, wget, or scripting runtimes access endpoints such as /pods, /metrics, /exec, or /containerLogs on a node or cluster. This behavior can indicate an adversary enumerating pods, gathering logs, or attempting remote execution, enabling discovery and potential lateral movement within Kubernetes environments. The detection correlates process arguments with HTTP(S) or WebSocket targets to Kubelet APIs and flags suspicious combinations of user/session context and destination. It uses data from auditd/endpoint process logs and maps to MITRE techniques such as Remote Services (T1021), Container/Resource Discovery (T1613), and Command and Scripting Interpreter (T1059, Unix Shell). The rule includes triage guidance, false-positive considerations (e.g., cluster operators or health checks), and recommended containment and hardening steps (limit Kubelet access, rotate credentials, enforce Kubelet authn/authz, and verify RBAC). The remediation path emphasizes network controls and credential hygiene to mitigate potential abuse.