Elastic Security Detection Rules

Kubernetes Pod Created With HostNetwork

Last updated 5 days ago on 2026-02-02
Created 4 years ago on 2022-07-05

About

This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: ExecutionTactic: Privilege EscalationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Escape to Host (T1611)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Deploy Container (T1610)(external, opens in a new tab or window)

False Positive Examples
An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field "kubernetes.audit.requestObject.spec.container.image"
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
event.dataset:kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:allow and
kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:(create or patch or update) and
kubernetes.audit.requestObject.spec.hostNetwork:true and
not (
  kubernetes.audit.requestObject.spec.containers.image:(
    *eks/observability/aws-for-fluent-bit* or *eks/observability/cloudwatch-agent* or *elastic-agent* or *quay/tigera* or *tigera/operator* or
    docker.io/bitnami/node-exporter* or docker.io/rancher/mirrored-calico-operator* or quay.io/calico/node* or quay.io/cephcsi/cephcsi* or
    quay.io/frrouting/frr* or quay.io/metallb/speaker* or quay.io/prometheus/node-exporter* or rancher/system-agent* or
    registry.crowdstrike.com/falcon-sensor* or registry.k8s.io/sig-storage/csi-node-driver-registrar*
  ) or
  kubernetes.audit.objectRef.namespace:(
    calico or calico-system or cilium or elastic or ingress-nginx or kube-system or noname-security-posture or openebs or sysdig-agent
  )
)

Install detection rules in Elastic Security

Detect Kubernetes Pod Created With HostNetwork in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).