Back to catalog

Process Targeting Kubernetes Service Endpoint

No violationsstackroxhighruntime

Detects misuse of the Kubernetes Service API endpoint

Rationale
A pod communicating to a Kubernetes API from via command line is highly irregular
Remediation
Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API
CategoriesKubernetes

Generated artifacts

1 of 5 targets supported
process-targeting-kubernetes-service-endpoint.yaml
- rule: process-targeting-kubernetes-service-endpoint
  desc: Detects misuse of the Kubernetes Service API endpoint
  condition: proc.cmdline contains "https://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\$.?KUBERNETES_(PORT_443_TCP_ADDR|SERVICE_HOST).?)(:443)?/apis?/(v1(beta.)?/)?(.*\.k8s\.io|clusterrole.*|role.*|networkpolicies|cronjobs|certificate.*|podsecurity.*|secrets.*)"
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Process Targeting Kubernetes Service Endpoint)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "251136ca-c92c-4474-a2c7-4949c71b745f",
  "name": "Process Targeting Kubernetes Service Endpoint",
  "description": "Detects misuse of the Kubernetes Service API endpoint",
  "rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
  "remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
  "severity": "high",
  "categories": [
    "Kubernetes"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-arguments",
    "values": [
      "https://(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|\\$.?KUBERNETES_(PORT_443_TCP_ADDR|SERVICE_HOST).?)(:443)?/apis?/(v1(beta.)?/)?(.*\\.k8s\\.io|clusterrole.*|role.*|networkpolicies|cronjobs|certificate.*|podsecurity.*|secrets.*)"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "251136ca-c92c-4474-a2c7-4949c71b745f",
  "name": "Process Targeting Kubernetes Service Endpoint",
  "description": "Detects misuse of the Kubernetes Service API endpoint",
  "rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
  "remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
  "disabled": false,
  "categories": [
    "Kubernetes"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Arguments",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "https://(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|\\$.?KUBERNETES_(PORT_443_TCP_ADDR|SERVICE_HOST).?)(:443)?/apis?/(v1(beta.)?/)?(.*\\.k8s\\.io|clusterrole.*|role.*|networkpolicies|cronjobs|certificate.*|podsecurity.*|secrets.*)"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0007",
      "techniques": [
        "T1613"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}