This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
Someone used the exec or attach commands to get a shell or execute a command
on a container running in the kube-system namespace. These methods are
sometimes used for legitimate debugging purposes. However, the kube-system
namespace is intended for system objects created by Kubernetes, and unexpected
command execution or shell creation should be reviewed. For more details, see
the log message for this alert.
- Review the audit logs in Cloud Logging to determine if this was expected activity by the principal.
- Determine whether there are other signs of malicious activity by the principal in the logs.
Review the guidance for using the principle of least privilege for the RBAC roles and cluster roles that allowed this access.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.