Skip to main content

Event Information

Meaning

  • The Linux Kernel Module Injection Detected event in a Kubernetes cluster indicates that an unauthorized or malicious kernel module has been injected into the system.
  • This event could potentially compromise the security and stability of the cluster, as the injected module can perform unauthorized actions or provide unauthorized access to the system.
  • It is crucial to investigate and remediate this event promptly to ensure the integrity and compliance of the Kubernetes cluster.
To investigate and remediate this event, you can:
  • Use the kubectl get pods command to identify the affected pod(s) and their corresponding nodes.
  • Use the kubectl describe pod <pod_name> command to gather more information about the pod, such as the image being used and any suspicious activities.
  • If necessary, delete and recreate the affected pod(s) using the kubectl delete pod <pod_name> and kubectl create -f <pod_manifest.yaml> commands, respectively.

Remediation

  1. Identify the affected pod(s) by checking the podName field in the event.
    • Use the Kubernetes API to get the pod details: kubectl get pod <podName> -o yaml
    • Note down the namespace and labels of the affected pod.
  2. Create a Kubernetes manifest file to delete the affected pod(s) and prevent further injection:
    • Create a YAML file (e.g., remediation.yaml) with the following content: 
      apiVersion: v1
kind: Pod
metadata:
  namespace: <namespace>
  labels:
    <labels>
spec:
  restartPolicy: Never
  containers:
  - name: remediation-container
    image: alpine:latest
    command: ["sh", "-c", "sleep 10"]
    • Replace <namespace> with the namespace of the affected pod(s).
    • Replace <labels> with the labels of the affected pod(s).
    • This manifest creates a temporary pod that sleeps for 10 seconds and then terminates. This will effectively delete the affected pod(s) and prevent further injection.
  3. Apply the remediation manifest to the cluster:
    • Use the Kubernetes API to apply the remediation manifest: kubectl apply -f remediation.yaml
    • Verify that the remediation pod is created and completes successfully: kubectl get pod -l=app=remediation-container
    • Monitor the cluster to ensure that the affected pod(s) are deleted and no new injection occurs: kubectl get pod -n <namespace>