**Approach (brief)** Design detections mapped to MITRE ATT&CK techniques for container escape (e.g., TESC: Escape to host) and lateral movement (e.g., Lateral Movement via kubectl, API abuse). Combine host/container runtime, kube-audit, node logs, and network flow telemetry; enforce network/RBAC controls to reduce blast radius.**Required telemetry**- Container runtime events: process execs, new privileges, filesystem mounts, container start/stop, capabilities changes (Falco, Docker/CRI-O events). - Kube-audit: all API server requests, impersonation, exec/attach events, pod creation with hostPath/hostNetwork/privileged. - Node logs: syscalls denied, kernel messages (dmesg), SSH/cron/cronlogs, kubelet logs. - Network flows: Cilium/Calico flows, service-to-service connections, pod-to-node, DNS queries.**Example detection rules**- Falco (container escape indicator):yaml
# falco rule
- rule: Privileged Container Changed / HostPath Mounted
desc: Detect containers with privileged flag or hostPath mounts
condition: container.privileged=true or container.mounts.path startswith /host
output: Privileged/HostPath mount in container (user=%user.name container=%container.name)
priority: CRITICAL
- SIEM/KQL (kube-audit):kql
KubeAudit
| where verb in ("exec","attach") and (requestObject.spec.containers[*].securityContext.privileged == true or requestObject.spec.volumes[*].hostPath != "")
| extend user = user.username, pod = requestObject.metadata.name
- Network flow anomaly (NetFlow): - Alert when pod makes outbound connections to >50 unique IPs in 10m or to internal node SSH ports.**Network & RBAC controls**- NetworkPolicy: default deny ingress/egress; explicit service whitelists; isolate namespaces; restrict hostNetwork=true usage.- CNI-level egress controls + eBPF policy enforcement to block lateral SSH/RDP and limit pod-to-node access.- RBAC: least privilege for service accounts, deny wildcard verbs in ClusterRoleBindings, require OPA/Gatekeeper admission to prevent hostPath/privileged/hostPID usage.- Pod Security Admission: enforce baseline/restricted profiles.**Detection playbook / investigation steps**- On alert, collect: pod manifest, kube-audit trail for user/serviceAccount, container process tree (ps + pcap if available), node syslogs, network flows in window. Quarantine pod via NetworkPolicy and scale down service account tokens.**Trade-offs**- High-fidelity vs noise: prioritize rules that combine multiple signals (audit + runtime + network) to reduce false positives. Use enrichment (image vulnerability, SA policies) to prioritize response.This strategy gives layered telemetry, concrete detections, and controls to limit attacker movement inside the cluster.