GKE Pod Created With HostPID
Detects GKE pod create, update, or patch events that enable host PID namespace sharing. HostPID exposes host processes and can support privilege escalation, especially with ptrace or privileged containers. System identities and controller-owned workloads are excluded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects GKE pod create, update, or patch events that enable host PID namespace sharing. HostPID exposes host processes
11and can support privilege escalation, especially with ptrace or privileged containers. System identities and
12controller-owned workloads are excluded.
13"""
14false_positives = [
15 """
16 Debug pods may legitimately use hostPID. Exclude trusted admin workflows after baselining.
17 """,
18]
19index = ["logs-gcp.audit-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GKE Pod Created With HostPID"
23note = """## Triage and analysis
24
25### Investigating GKE Pod Created With HostPID
26
27HostPID visibility into host processes is high risk. Confirm whether the pod spec change was authorized.
28
29### Investigation steps
30
31- Review actor (`user.email`), target pod, and images in the audit request.
32- Correlate with exec, secret access, or RBAC changes from the same identity.
33
34### False positives
35
36- Break-glass troubleshooting; tune by user or namespace.
37
38## Setup
39
40The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
41references = [
42 "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
43 "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation",
44]
45risk_score = 47
46rule_id = "f2108687-553d-45ac-b8f0-d0efeac5d45f"
47severity = "medium"
48tags = [
49 "Domain: Cloud",
50 "Domain: Kubernetes",
51 "Data Source: GCP",
52 "Data Source: Google Cloud Platform",
53 "Use Case: Threat Detection",
54 "Tactic: Privilege Escalation",
55 "Tactic: Execution",
56 "Resources: Investigation Guide",
57]
58timestamp_override = "event.ingested"
59type = "query"
60
61query = '''
62data_stream.dataset:gcp.audit and
63event.action:("io.k8s.core.v1.pods.create" or "io.k8s.core.v1.pods.update" or "io.k8s.core.v1.pods.patch") and
64gcp.audit.request.spec.hostPID:true and not user.email:system\:* and
65not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
66'''
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70
71[[rule.threat.technique]]
72id = "T1611"
73name = "Escape to Host"
74reference = "https://attack.mitre.org/techniques/T1611/"
75
76[rule.threat.tactic]
77id = "TA0004"
78name = "Privilege Escalation"
79reference = "https://attack.mitre.org/tactics/TA0004/"
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83
84[[rule.threat.technique]]
85id = "T1610"
86name = "Deploy Container"
87reference = "https://attack.mitre.org/techniques/T1610/"
88
89[rule.threat.tactic]
90id = "TA0002"
91name = "Execution"
92reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating GKE Pod Created With HostPID
HostPID visibility into host processes is high risk. Confirm whether the pod spec change was authorized.
Investigation steps
- Review actor (
user.email), target pod, and images in the audit request. - Correlate with exec, secret access, or RBAC changes from the same identity.
False positives
- Break-glass troubleshooting; tune by user or namespace.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Container Created with Excessive Linux Capabilities
- GKE Pod Created With HostIPC
- GKE Pod Created With HostNetwork
- GKE Pod Created with a Sensitive hostPath Volume
- GKE Privileged Pod Created