Situation: Multiple newly deployed pods show sudden high CPU and many outbound connections.Play-by-play response — triage, contain, investigate, remediate, then recover.1) Rapid detection & scope- Query cluster for affected pods and nodes:bash
kubectl get pods --all-namespaces -o wide | grep -E "CrashLoopBackOff|Running"
kubectl top pods --all-namespaces | sort -k3 -nr | head
kubectl get events --all-namespaces --sort-by=.metadata.creationTimestamp
- Identify rollout that created them:bash
kubectl rollout history deploy/<service> -n <ns>
kubectl get rs -n <ns> --show-labels
2) Contain (non-destructive first)- Throttle/limit egress at network policy or node firewall:bash
# apply restrictive NetworkPolicy to namespace
kubectl apply -f deny-egress.yaml -n <ns>
- Scale down or cordon node if necessary:bash
kubectl scale deployment/<svc> --replicas=0 -n <ns>
kubectl cordon <node>
3) Live forensics on an affected pod- Exec and capture process/network view:bash
kubectl exec -it pod -n <ns> -- ps auxww
kubectl exec -it pod -n <ns> -- ss -tunaep
kubectl exec -it pod -n <ns> -- lsof -i
kubectl exec -it pod -n <ns> -- cat /proc/1/cmdline
kubectl logs pod -n <ns> --since=1h
- Dump suspicious binary, hashes, timestamps:bash
kubectl cp <ns>/pod:/path/to/binary ./binary
sha256sum binary
strings binary | head
4) Network and IOC analysis- Capture pcap on node or using privileged pod:bash
tcpdump -nn -i any host <suspicious_ip> -w /tmp/pod_traffic.pcap
tshark -r /tmp/pod_traffic.pcap -q -z conv,ip
- DNS and external endpoints:bash
kubectl exec -it pod -n <ns> -- cat /etc/resolv.conf
kubectl exec -it pod -n <ns> -- dig +short suspicious.domain
whois <ip>
- Check for known C2/miner indicators: domains, ports, stratum/p2p patterns.5) Artifact & deployment inspection- Verify image provenance and image digest:bash
kubectl get pod pod -o jsonpath='{.spec.containers[*].image}'
crictl inspecti <image-id> # or query registry for digest
trivy image <image>
- Diff deployment YAML vs previous:bash
kubectl get deploy <svc> -n <ns> -o yaml > current.yaml
git show <previous-commit>:deploy/<svc>.yaml
6) Logs & metrics correlation- Query Prometheus/Grafana for CPU, netbytes, pod creation time windows.- Check kube-apiserver audit logs for who created the deployment:bash
# search audit logs for user/api call
grep -R "deploy/<svc>" /var/log/kube-apiserver-audit.log
7) Decide: misconfig vs compromise- Signs of misconfiguration: new image tag matches CI artifacts, start command expected, no unknown binaries, outbound to known service endpoints, recent config change in repo.- Signs of compromise: unknown binaries, obfuscated strings, many external connections to IPs with bad reputation, persistence mechanisms, container images not matching signed digests, unexpected RBAC/activity in audit logs.8) Remediation & recovery- If compromise: isolate cluster, rotate credentials, remove malicious images, rollback to known-good revision, redeploy with enforced imagePolicy and PSP/OPA Gatekeeper, block discovered IPs at network level, perform full incident response with security team.- If misconfig: rollback, fix resource limits, egress rules, CI pipeline.9) Post-incident- Preserve evidence (pcaps, disk images, logs), timeline, root cause, and actions.- Implement prevention: image signing, egress network policies, runtime policies (Falco), scanning (Trivy), stricter RBAC, circuit-breaker alerts for unusual outbound rates.This sequence balances rapid containment (egress/scale down) with forensic data collection (ps/ss/tcpdump, logs, image digests, audit logs) so you can determine misconfiguration vs malicious activity and remediate safely.