Defend for Containers

Detection of potential direct Kubelet access via process arguments in Linux containers, which could lead to enumeration, execution, or lateral movement within the Kubernetes cluster.

The rule detects nsenter executions from inside a monitored Linux container that include a namespace target flag (-t or --target), which can be abused to escape container isolation.

This rule detects the execution of kubeletctl inside a container, which can be used to enumerate the Kubelet API or other resources inside the container, potentially indicating lateral movement attempts within the pod.