Detection rules › Panther
GCP K8S Privileged Pod Created
Alerts when a user creates privileged pod. These particular pods have full access to the host’s namespace and devices, have the ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks. In the event of a successful container escape where a user is operating with root privileges, the attacker retains this role on the node.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1548 Abuse Elevation Control Mechanism |
Rule body yaml
AnalysisType: rule
RuleID: "GCP.K8S.Privileged.Pod.Created"
DisplayName: "GCP K8S Privileged Pod Created"
Enabled: false
Status: Deprecated
LogTypes:
- GCP.AuditLog
Severity: High
Tags:
- Deprecated
Filename: gcp_k8s_privileged_pod_created.py
Description: >
Alerts when a user creates privileged pod. These particular pods have full access to the host’s namespace and
devices, have the ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching
point for further attacks. In the event of a successful container escape where a user is operating with root
privileges, the attacker retains this role on the node.
Runbook: |
Investigate the reason of creating privileged pod. Advise that it is discouraged practice.
Create ticket if appropriate.
Reference: https://www.golinuxcloud.com/kubernetes-privileged-pod-examples/
Reports:
MITRE ATT&CK:
- TA0004:T1548 # Abuse Elevation Control Mechanism
DedupPeriodMinutes: 360
Tests:
- Name: Privileged Pod Created
ExpectedResult: true
Log:
{
"logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {},
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": { "principalEmail": "john.doe@company.com" },
"authorizationInfo":
[
{
"granted": true,
"permission": "io.k8s.core.v1.pods.create",
"resource": "core/v1/namespaces/default/pods/test-privileged-pod",
},
],
"methodName": "io.k8s.core.v1.pods.create",
"request":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata":
{ "name": "test-privileged-pod", "namespace": "default" },
"spec":
{
"containers":
[
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"resources": {},
"securityContext": { "privileged": true },
},
],
"securityContext": {},
},
"status": {},
},
"requestMetadata": { "callerIP": "1.2.3.4" },
"resourceName": "core/v1/namespaces/default/pods/test-privileged-pod",
"response":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata": {},
"spec":
{
"containers":
[
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"resources": {},
"securityContext": { "privileged": true },
},
],
"securityContext": {},
"serviceAccount": "default",
"serviceAccountName": "default",
"terminationGracePeriodSeconds": 30,
},
"status": {},
},
"serviceName": "k8s.io",
"status": {},
},
"receiveTimestamp": "2024-02-13 12:45:20.058795785",
"resource":
{
"labels":
{
"cluster_name": "some-project-cluster",
"location": "us-west1",
"project_id": "some-project",
},
"type": "k8s_cluster",
},
"timestamp": "2024-02-13 12:45:06.073905000",
}
- Name: Run-As-Root Pod Created
ExpectedResult: true
Log:
{
"logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {},
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": { "principalEmail": "john.doe@company.com" },
"authorizationInfo":
[
{
"granted": true,
"permission": "io.k8s.core.v1.pods.create",
"resource": "core/v1/namespaces/default/pods/test-runasroot-pod",
},
],
"methodName": "io.k8s.core.v1.pods.create",
"request":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata": {},
"spec":
{
"containers":
[
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"resources": {},
"securityContext": { "runAsNonRoot": false },
},
],
},
"status": {},
},
"requestMetadata": { "callerIP": "1.2.3.4" },
"resourceName": "core/v1/namespaces/default/pods/test-runasroot-pod",
"response":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata": {},
"spec":
{
"containers":
[
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"resources": {},
"securityContext": { "runAsNonRoot": false },
},
],
},
"status": { "phase": "Pending", "qosClass": "BestEffort" },
},
"serviceName": "k8s.io",
"status": {},
},
"receiveTimestamp": "2024-02-13 13:13:53.113465457",
"resource":
{
"labels":
{
"cluster_name": "some-project-cluster",
"location": "us-west1",
"project_id": "some-project",
},
"type": "k8s_cluster",
},
"timestamp": "2024-02-13 13:13:45.363388000",
}
- Name: Non-Privileged Pod Created
ExpectedResult: false
Log:
{
"logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity",
"operation":
{
"first": true,
"id": "7f8c5bec-01ff-4079-97e3-065ac34e10e8",
"last": true,
"producer": "k8s.io",
},
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": { "principalEmail": "john.doe@company.com" },
"authorizationInfo":
[
{
"granted": true,
"permission": "io.k8s.core.v1.pods.create",
"resource": "core/v1/namespaces/default/pods/test-non-privileged-pod",
},
],
"methodName": "io.k8s.core.v1.pods.create",
"request":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata":
{ "name": "test-non-privileged-pod", "namespace": "default" },
"spec":
{
"containers":
[
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"resources": {},
},
],
},
"status": {},
},
"requestMetadata": { "callerIP": "1.2.3.4" },
"resourceName": "core/v1/namespaces/default/pods/test-non-privileged-pod",
"response":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata": {},
"spec":
{
"containers":
[
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"resources": {},
},
],
},
"status": {},
},
"serviceName": "k8s.io",
"status": {},
},
"receiveTimestamp": "2024-02-13 13:07:54.642331675",
"resource":
{
"labels":
{
"cluster_name": "some-project-cluster",
"location": "us-west1",
"project_id": "some-project",
},
"type": "k8s_cluster",
},
"timestamp": "2024-02-13 13:07:29.505948000",
}
- Name: Error Creating Pod
ExpectedResult: false
Log:
{
"logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity",
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": { "principalEmail": "john.doe@company.com" },
"authorizationInfo":
[
{
"granted": true,
"permission": "io.k8s.core.v1.pods.create",
"resource": "core/v1/namespaces/default/pods/test-privileged-pod",
},
],
"methodName": "io.k8s.core.v1.pods.create",
"request":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata":
{ "name": "test-privileged-pod", "namespace": "default" },
"spec":
{
"containers":
[
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"resources": {},
"securityContext": { "runAsNonRoot": false },
},
],
},
"status": {},
},
"requestMetadata": { "callerIP": "1.2.3.4" },
"resourceName": "core/v1/namespaces/default/pods/test-privileged-pod",
"response":
{
"@type": "core.k8s.io/v1.Status",
"apiVersion": "v1",
"code": 409,
"details": { "kind": "pods", "name": "test-privileged-pod" },
"kind": "Status",
"message": 'pods "test-privileged-pod" already exists',
"metadata": {},
"reason": "AlreadyExists",
"status": "Failure",
},
"serviceName": "k8s.io",
"status":
{
"code": 10,
"message": 'pods "test-privileged-pod" already exists',
},
},
"receiveTimestamp": "2024-02-13 13:13:33.486605432",
"resource":
{
"labels":
{
"cluster_name": "some-project-cluster",
"location": "us-west1",
"project_id": "some-project",
},
"type": "k8s_cluster",
},
"timestamp": "2024-02-13 13:13:24.079140000",
}
- Name: GCP Service Account Creating Privileged Pod (Excluded)
ExpectedResult: false
Log:
{
"logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {},
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": { "principalEmail": "container-engine-robot@some-project.iam.gserviceaccount.com" },
"authorizationInfo":
[
{
"granted": true,
"permission": "io.k8s.core.v1.pods.create",
"resource": "core/v1/namespaces/kube-system/pods/gke-metrics-agent",
},
],
"methodName": "io.k8s.core.v1.pods.create",
"request":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata":
{ "name": "gke-metrics-agent", "namespace": "kube-system" },
"spec":
{
"containers":
[
{
"image": "gke.gcr.io/gke-metrics-agent:latest",
"imagePullPolicy": "Always",
"name": "gke-metrics-agent",
"resources": {},
"securityContext": { "privileged": true },
},
],
"securityContext": {},
},
"status": {},
},
"requestMetadata": { "callerIP": "10.0.0.1" },
"resourceName": "core/v1/namespaces/kube-system/pods/gke-metrics-agent",
"response":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata": {},
"spec":
{
"containers":
[
{
"image": "gke.gcr.io/gke-metrics-agent:latest",
"imagePullPolicy": "Always",
"name": "gke-metrics-agent",
"resources": {},
"securityContext": { "privileged": true },
},
],
"securityContext": {},
"serviceAccount": "gke-metrics-agent",
"serviceAccountName": "gke-metrics-agent",
"terminationGracePeriodSeconds": 30,
},
"status": {},
},
"serviceName": "k8s.io",
"status": {},
},
"receiveTimestamp": "2024-02-13 12:45:20.058795785",
"resource":
{
"labels":
{
"cluster_name": "some-project-cluster",
"location": "us-west1",
"project_id": "some-project",
},
"type": "k8s_cluster",
},
"timestamp": "2024-02-13 12:45:06.073905000",
}
- Name: Privileged Pod in System Namespace (Excluded)
ExpectedResult: false
Log:
{
"logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {},
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": { "principalEmail": "system:serviceaccount:kube-system:deployment-controller" },
"authorizationInfo":
[
{
"granted": true,
"permission": "io.k8s.core.v1.pods.create",
"resource": "core/v1/namespaces/gke-system/pods/network-agent",
},
],
"methodName": "io.k8s.core.v1.pods.create",
"request":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata":
{ "name": "network-agent", "namespace": "gke-system" },
"spec":
{
"containers":
[
{
"image": "gke.gcr.io/network-agent:latest",
"imagePullPolicy": "Always",
"name": "network-agent",
"resources": {},
"securityContext": { "privileged": true },
},
],
"securityContext": {},
},
"status": {},
},
"requestMetadata": { "callerIP": "10.0.0.2" },
"resourceName": "core/v1/namespaces/gke-system/pods/network-agent",
"response":
{
"@type": "core.k8s.io/v1.Pod",
"apiVersion": "v1",
"kind": "Pod",
"metadata": {},
"spec":
{
"containers":
[
{
"image": "gke.gcr.io/network-agent:latest",
"imagePullPolicy": "Always",
"name": "network-agent",
"resources": {},
"securityContext": { "privileged": true },
},
],
"securityContext": {},
"serviceAccount": "network-agent",
"serviceAccountName": "network-agent",
"terminationGracePeriodSeconds": 30,
},
"status": {},
},
"serviceName": "k8s.io",
"status": {},
},
"receiveTimestamp": "2024-02-13 12:45:20.058795785",
"resource":
{
"labels":
{
"cluster_name": "some-project-cluster",
"location": "us-west1",
"project_id": "some-project",
},
"type": "k8s_cluster",
},
"timestamp": "2024-02-13 12:45:06.073905000",
}
Detection logic
Condition
not (protoPayload.response.status eq "Failure" or protoPayload.methodName ne "io.k8s.core.v1.pods.create")
not ((protoPayload.authenticationInfo.principalEmail is_not_null and (protoPayload.authenticationInfo.principalEmail starts_with "system:kube-controller-manager" or protoPayload.authenticationInfo.principalEmail starts_with "system:kube-scheduler" or protoPayload.authenticationInfo.principalEmail starts_with "system:addon-manager" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:kube-system:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:kube-public:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:kube-node-lease:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:gke-system:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:gke-managed-system:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:gmp-system:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:gmp-public:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:config-management-system:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:istio-system:" or protoPayload.authenticationInfo.principalEmail starts_with "system:serviceaccount:asm-system:")) or protoPayload.resourceName is_not_null)
protoPayload.authorizationInfo is_not_null
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
protoPayload.authenticationInfo.principalEmail | starts_with | system:addon-manager |
protoPayload.authenticationInfo.principalEmail | starts_with | system:kube-controller-manager |
protoPayload.authenticationInfo.principalEmail | starts_with | system:kube-scheduler |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:asm-system: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:config-management-system: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:gke-managed-system: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:gke-system: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:gmp-public: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:gmp-system: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:istio-system: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:kube-node-lease: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:kube-public: |
protoPayload.authenticationInfo.principalEmail | starts_with | system:serviceaccount:kube-system: |
protoPayload.authenticationInfo.principalEmail | is_not_null | |
protoPayload.resourceName | is_not_null | |
protoPayload.methodName | ne | io.k8s.core.v1.pods.create |
protoPayload.response.status | eq | Failure |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
protoPayload.authorizationInfo | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
project | resource.labels.project_id |
principal | protoPayload.authenticationInfo.principalEmail |
caller_ip | protoPayload.requestMetadata.callerIP |
methodName | protoPayload.methodName |
resourceName | protoPayload.resourceName |
serviceName | protoPayload.serviceName |