Back to catalog

Process Targeting Cluster Kubelet Endpoint

No violationsstackroxhighruntime

Detects misuse of the healthz/kubelet API/heapster endpoint

Rationale
A pod communicating to a Kubernetes API from via command line is highly irregular
Remediation
Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API
CategoriesKubernetes

Generated artifacts

1 of 5 targets supported
process-targeting-cluster-kubelet-endpoint.yaml
- rule: process-targeting-cluster-kubelet-endpoint
  desc: Detects misuse of the healthz/kubelet API/heapster endpoint
  condition: proc.cmdline contains "(https?://)?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(10250|10248|10255)|heapster\.kube\-system/metrics|KUBERNETES_PORT_443_TCP_ADDR|KUBERNETES_SERVICE_HOST).*"
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Process Targeting Cluster Kubelet Endpoint)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "86804b96-e87e-4eae-b56e-1718a8a55763",
  "name": "Process Targeting Cluster Kubelet Endpoint",
  "description": "Detects misuse of the healthz/kubelet API/heapster endpoint",
  "rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
  "remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
  "severity": "high",
  "categories": [
    "Kubernetes"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-arguments",
    "values": [
      "(https?://)?(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:(10250|10248|10255)|heapster\\.kube\\-system/metrics|KUBERNETES_PORT_443_TCP_ADDR|KUBERNETES_SERVICE_HOST).*"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "86804b96-e87e-4eae-b56e-1718a8a55763",
  "name": "Process Targeting Cluster Kubelet Endpoint",
  "description": "Detects misuse of the healthz/kubelet API/heapster endpoint",
  "rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
  "remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
  "disabled": false,
  "categories": [
    "Kubernetes"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Arguments",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "(https?://)?(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:(10250|10248|10255)|heapster\\.kube\\-system/metrics|KUBERNETES_PORT_443_TCP_ADDR|KUBERNETES_SERVICE_HOST).*"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0007",
      "techniques": [
        "T1613"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}