GKE Pod Created With HostNetwork
Detects GKE pod create, update, or patch events that enable host network namespace sharing. HostNetwork grants access to the node network stack and can bypass namespace network policies. System identities and controller-owned workloads are excluded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects GKE pod create, update, or patch events that enable host network namespace sharing. HostNetwork grants access to
11the node network stack and can bypass namespace network policies. System identities and controller-owned workloads are
12excluded.
13"""
14false_positives = [
15 """
16 Monitoring agents and CNI components may require hostNetwork. Exclude known platform identities after review.
17 """,
18]
19index = ["logs-gcp.audit-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GKE Pod Created With HostNetwork"
23note = """## Triage and analysis
24
25### Investigating GKE Pod Created With HostNetwork
26
27HostNetwork pods can observe or interact with node-local services. Validate the actor and workload purpose.
28
29### Investigation steps
30
31- Review `user.email`, pod name, namespace, and container images in `gcp.audit.request`.
32- Hunt for secret access or exec from the same identity after the change.
33
34### False positives
35
36- Platform DaemonSets often use hostNetwork; controller ownerReferences exclusion reduces noise.
37
38## Setup
39
40The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
41references = [
42 "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
43 "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation",
44]
45risk_score = 47
46rule_id = "0030f681-0142-4231-b728-49bb9fc12066"
47severity = "medium"
48tags = [
49 "Domain: Cloud",
50 "Domain: Kubernetes",
51 "Data Source: GCP",
52 "Data Source: Google Cloud Platform",
53 "Use Case: Threat Detection",
54 "Tactic: Privilege Escalation",
55 "Tactic: Execution",
56 "Resources: Investigation Guide",
57]
58timestamp_override = "event.ingested"
59type = "query"
60
61query = '''
62data_stream.dataset:gcp.audit and
63event.action:("io.k8s.core.v1.pods.create" or "io.k8s.core.v1.pods.update" or "io.k8s.core.v1.pods.patch") and
64gcp.audit.request.spec.hostNetwork:true and
65not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet") and
66not user.email:system\:*
67'''
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71
72[[rule.threat.technique]]
73id = "T1611"
74name = "Escape to Host"
75reference = "https://attack.mitre.org/techniques/T1611/"
76
77[rule.threat.tactic]
78id = "TA0004"
79name = "Privilege Escalation"
80reference = "https://attack.mitre.org/tactics/TA0004/"
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84
85[[rule.threat.technique]]
86id = "T1610"
87name = "Deploy Container"
88reference = "https://attack.mitre.org/techniques/T1610/"
89
90[rule.threat.tactic]
91id = "TA0002"
92name = "Execution"
93reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating GKE Pod Created With HostNetwork
HostNetwork pods can observe or interact with node-local services. Validate the actor and workload purpose.
Investigation steps
- Review
user.email, pod name, namespace, and container images ingcp.audit.request. - Hunt for secret access or exec from the same identity after the change.
False positives
- Platform DaemonSets often use hostNetwork; controller ownerReferences exclusion reduces noise.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Container Created with Excessive Linux Capabilities
- GKE Pod Created With HostIPC
- GKE Pod Created With HostPID
- GKE Pod Created with a Sensitive hostPath Volume
- GKE Privileged Pod Created