IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

GKE Pod Created With HostIPC

edit

Detects GKE pod create, update, or patch events that enable host IPC namespace sharing. This exposes host inter-process communication mechanisms and can support privilege escalation. Controller-owned workloads are excluded.

Rule type: query

Rule indices:

  • logs-gcp.audit-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Kubernetes
  • Data Source: GCP
  • Data Source: Google Cloud Platform
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Tactic: Execution
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating GKE Pod Created With HostIPC

Host IPC lets a pod interact with host IPC facilities. Review the pod spec, actor, and whether the change was expected.

Investigation steps

  • Confirm gcp.audit.request.spec.hostIPC and targeted namespace or pod.
  • Review user.email and correlate with other risky pod modifications.

False positives

  • Break-glass debugging on nodes; allowlist known admin identities.

Setup

edit

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

Rule query

edit
data_stream.dataset:gcp.audit and event.outcome:success and
event.action:("io.k8s.core.v1.pods.create" or "io.k8s.core.v1.pods.update" or "io.k8s.core.v1.pods.patch") and
gcp.audit.request.spec.hostIPC:true and
not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")

Framework: MITRE ATT&CKTM