GKE Pod Created With HostIPC
Detects GKE pod create, update, or patch events that enable host IPC namespace sharing. This exposes host inter-process communication mechanisms and can support privilege escalation. Controller-owned workloads are excluded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects GKE pod create, update, or patch events that enable host IPC namespace sharing. This exposes host inter-process
11communication mechanisms and can support privilege escalation. Controller-owned workloads are excluded.
12"""
13false_positives = [
14 """
15 Administrators may enable hostIPC for legitimate debugging. Exclude trusted users or namespaces after baselining.
16 """,
17]
18index = ["logs-gcp.audit-*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "GKE Pod Created With HostIPC"
22note = """## Triage and analysis
23
24### Investigating GKE Pod Created With HostIPC
25
26Host IPC lets a pod interact with host IPC facilities. Review the pod spec, actor, and whether the change was expected.
27
28### Investigation steps
29
30- Confirm `gcp.audit.request.spec.hostIPC` and targeted namespace or pod.
31- Review `user.email` and correlate with other risky pod modifications.
32
33### False positives
34
35- Break-glass debugging on nodes; allowlist known admin identities.
36
37## Setup
38
39The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
40references = [
41 "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
42 "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation",
43]
44risk_score = 47
45rule_id = "fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4"
46severity = "medium"
47tags = [
48 "Domain: Cloud",
49 "Domain: Kubernetes",
50 "Data Source: GCP",
51 "Data Source: Google Cloud Platform",
52 "Use Case: Threat Detection",
53 "Tactic: Privilege Escalation",
54 "Tactic: Execution",
55 "Resources: Investigation Guide",
56]
57timestamp_override = "event.ingested"
58type = "query"
59
60query = '''
61data_stream.dataset:gcp.audit and event.outcome:success and
62event.action:("io.k8s.core.v1.pods.create" or "io.k8s.core.v1.pods.update" or "io.k8s.core.v1.pods.patch") and
63gcp.audit.request.spec.hostIPC:true and
64not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
65'''
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69
70[[rule.threat.technique]]
71id = "T1611"
72name = "Escape to Host"
73reference = "https://attack.mitre.org/techniques/T1611/"
74
75[rule.threat.tactic]
76id = "TA0004"
77name = "Privilege Escalation"
78reference = "https://attack.mitre.org/tactics/TA0004/"
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82
83[[rule.threat.technique]]
84id = "T1610"
85name = "Deploy Container"
86reference = "https://attack.mitre.org/techniques/T1610/"
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating GKE Pod Created With HostIPC
Host IPC lets a pod interact with host IPC facilities. Review the pod spec, actor, and whether the change was expected.
Investigation steps
- Confirm
gcp.audit.request.spec.hostIPCand targeted namespace or pod. - Review
user.emailand correlate with other risky pod modifications.
False positives
- Break-glass debugging on nodes; allowlist known admin identities.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Container Created with Excessive Linux Capabilities
- GKE Pod Created With HostNetwork
- GKE Pod Created With HostPID
- GKE Pod Created with a Sensitive hostPath Volume
- GKE Privileged Pod Created