GKE Privileged Pod Created
editGKE Privileged Pod Created
editDetects successful GKE audit events where a pod is created with allowPrivilegeEscalation enabled. This weakens container isolation and can help an attacker escalate toward host access. Standalone pods are included; workloads owned by ReplicaSet, DaemonSet, or StatefulSet controllers are excluded.
Rule type: query
Rule indices:
- logs-gcp.audit-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: Kubernetes
- Data Source: GCP
- Data Source: Google Cloud Platform
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Tactic: Execution
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating GKE Privileged Pod Created
Review user.email, orchestrator.resource.name, orchestrator.namespace, and the pod spec in gcp.audit.request.
Confirm whether allowPrivilegeEscalation is required for the workload.
Investigation steps
-
Identify the actor and source (
user.email,source.ip,user_agent.original). - Inspect container images and securityContext in the audit request payload.
- Correlate with RBAC changes, secret access, or exec activity from the same identity.
False positives
- One-off admin debugging pods; tune by user or namespace when documented.
Setup
editThe GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
Rule query
editdata_stream.dataset:gcp.audit and event.action:"io.k8s.core.v1.pods.create" and event.outcome:success and
gcp.audit.request.spec.containers.securityContext.allowPrivilegeEscalation:true and
not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Escape to Host
- ID: T1611
- Reference URL: https://attack.mitre.org/techniques/T1611/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Deploy Container
- ID: T1610
- Reference URL: https://attack.mitre.org/techniques/T1610/