Kubernetes API Server Proxying Request to Kubelet

Last updated 10 days ago on 2026-05-05

Created 10 days ago on 2026-05-05

About

Detects non-system identities using the Kubernetes nodes/proxy API to proxy requests through the API server directly to a node's Kubelet. The nodes/proxy subresource allows any principal with this RBAC permission to reach the Kubelet API on any worker node without needing direct network access or Kubelet TLS certificates. Through this proxy path, an attacker can list all pod specifications including environment variable secrets, read Kubelet configuration and PKI material, retrieve container logs, and access running pod metadata across all workloads on the target node. Monitoring and health check endpoints such as /metrics, /healthz, and /stats are excluded to reduce noise from legitimate observability tooling.

Tags

Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: Privilege EscalationTactic: Lateral MovementTactic: DiscoveryLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Escape to Host (T1611)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

↳ Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(external, opens in a new tab or window)

False Positive Examples

Legitimate kubelet debugging, node troubleshooting, or security tooling that uses the node proxy outside the excluded metrics prefix may match. Baseline approved operators and automation identities.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-kubernetes.audit_logs-*
Related Integrations: kubernetes(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗kubernetes.audit.objectRef.subresource:"proxy" and
kubernetes.audit.objectRef.resource:"nodes" and
not kubernetes.audit.requestURI:(*metrics* or *healthz* or *stats/summary* or *elastic-agent* or *configz*) and
not user.name:(
  system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:serviceaccount\:kube-system\:* or
  system\:node\:* or
  eks\:* or aksService
)

Install detection rules in Elastic Security

Detect Kubernetes API Server Proxying Request to Kubelet in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).