Kubelet

This rule detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255) enabling discovery and lateral movement in Kubernetes environments.

The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.

Detection of potential direct Kubelet access via process arguments in Linux containers, which could lead to enumeration, execution, or lateral movement within the Kubernetes cluster.