GKE Pod Created with a Sensitive hostPath Volume
Detects GKE pod create, update, or patch events that mount sensitive hostPath volumes such as the root filesystem, kubelet paths, or container runtime sockets. This can enable container escape and credential theft. System identities and controller-owned workloads are excluded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects GKE pod create, update, or patch events that mount sensitive hostPath volumes such as the root filesystem,
11kubelet paths, or container runtime sockets. This can enable container escape and credential theft. System identities
12and controller-owned workloads are excluded.
13"""
14false_positives = [
15 """
16 Node agents and observability DaemonSets commonly mount host paths like /proc or /var/log. Controller ownerReferences
17 exclusions reduce noise; add image exceptions if needed.
18 """,
19]
20index = ["logs-gcp.audit-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "GKE Pod Created with a Sensitive hostPath Volume"
24note = """## Triage and analysis
25
26### Investigating GKE Pod Created with a Sensitive hostPath Volume
27
28Review `gcp.audit.request.spec.volumes.hostPath.path` and whether the mount is required for the workload.
29
30### Investigation steps
31
32- Confirm the hostPath and container images in the audit request.
33- Review `user.email`, namespace, and follow-on secret or exec activity.
34
35### False positives
36
37- Platform DaemonSets mounting /proc or kubelet paths; validate against known agents.
38
39## Setup
40
41The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
42references = [
43 "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath",
44 "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216",
45]
46risk_score = 47
47rule_id = "647ae821-a80d-4f07-bb12-d40dd433f6b4"
48severity = "medium"
49tags = [
50 "Domain: Cloud",
51 "Domain: Kubernetes",
52 "Data Source: GCP",
53 "Data Source: Google Cloud Platform",
54 "Use Case: Threat Detection",
55 "Tactic: Privilege Escalation",
56 "Tactic: Execution",
57 "Resources: Investigation Guide",
58]
59timestamp_override = "event.ingested"
60type = "query"
61
62query = '''
63data_stream.dataset:gcp.audit and event.outcome:success and
64event.action:("io.k8s.core.v1.pods.create" or "io.k8s.core.v1.pods.update" or "io.k8s.core.v1.pods.patch") and
65gcp.audit.request.spec.volumes.hostPath.path:(
66 "/" or "/proc" or "/root" or "/var" or "/var/run" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or
67 "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or "/etc" or
68 "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/etc/kubernetes/pki" or "/home/admin"
69) and not user.email:system\:* and
70not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
71'''
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75
76[[rule.threat.technique]]
77id = "T1611"
78name = "Escape to Host"
79reference = "https://attack.mitre.org/techniques/T1611/"
80
81[rule.threat.tactic]
82id = "TA0004"
83name = "Privilege Escalation"
84reference = "https://attack.mitre.org/tactics/TA0004/"
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89[[rule.threat.technique]]
90id = "T1610"
91name = "Deploy Container"
92reference = "https://attack.mitre.org/techniques/T1610/"
93
94[rule.threat.tactic]
95id = "TA0002"
96name = "Execution"
97reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating GKE Pod Created with a Sensitive hostPath Volume
Review gcp.audit.request.spec.volumes.hostPath.path and whether the mount is required for the workload.
Investigation steps
- Confirm the hostPath and container images in the audit request.
- Review
user.email, namespace, and follow-on secret or exec activity.
False positives
- Platform DaemonSets mounting /proc or kubelet paths; validate against known agents.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Container Created with Excessive Linux Capabilities
- GKE Pod Created With HostIPC
- GKE Pod Created With HostNetwork
- GKE Pod Created With HostPID
- GKE Privileged Pod Created