Runbook

Unauthorized Pod Execution Alert

Back to Runbooks

Overview

Unauthorized Pod Execution is an incident type that occurs when an unauthorized entity attempts to create a pod in a system without proper permissions. This incident is considered a potential intrusion and triggers an alert to notify the appropriate personnel. The alert is designed to prevent unauthorized access and protect the system's integrity.

Parameters

Debug

First, check if there are any unauthorized pods running in the cluster

Check the audit logs for any suspicious activity

Check the pod's metadata to see who created it

Check the pod's security context to see if any privileged actions were performed

Check the pod's service account to see if it has elevated privileges

Check the Kubernetes API server logs for any suspicious activity

Check the role bindings and cluster roles to see if the user or service account has the necessary permissions

Check the pod's YAML file for any suspicious configurations

Repair

Immediately remove the unauthorized pod from the system.

Implement a stronger access control policy to prevent unauthorized pod creation in the future.

Learn more

Related Runbooks

Check out these related runbooks to help you debug and resolve similar issues.