Elastic Security Detection Rules

Kubernetes Pod Created With HostIPC

Last updated 2 months ago on 2025-06-18
Created 3 years ago on 2022-07-05

About

This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.
Tags
Data Source: KubernetesTactic: ExecutionTactic: Privilege EscalationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Escape to Host (T1611)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

Deploy Container (T1610)(opens in a new tab or window)

False Positive Examples
An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field "kubernetes.audit.requestObject.spec.container.image"
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(opens in a new tab or window)

Query
event.dataset : "kubernetes.audit_logs"
  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
  and kubernetes.audit.objectRef.resource:"pods"
  and kubernetes.audit.verb:("create" or "update" or "patch")
  and kubernetes.audit.requestObject.spec.hostIPC:true
  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")

Install detection rules in Elastic Security

Detect Kubernetes Pod Created With HostIPC in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).