LoFP / legitimate kubelet debugging, node troubleshooting, or security tooling that uses the node proxy outside the excluded metrics prefix may match. baseline approved operators and automation identities.

Techniques

• T1550
• T1611
• T1613

Sample rules

Kubernetes API Server Proxying Request to Kubelet

• source: elastic
• technicques:
  • T1550
  • T1611
  • T1613

Description

Detects non-system identities using the Kubernetes nodes/proxy API to proxy requests through the API server directly to a node’s Kubelet. The nodes/proxy subresource allows any principal with this RBAC permission to reach the Kubelet API on any worker node without needing direct network access or Kubelet TLS certificates. Through this proxy path, an attacker can list all pod specifications including environment variable secrets, read Kubelet configuration and PKI material, retrieve container logs, and access running pod metadata across all workloads on the target node. Monitoring and health check endpoints such as /metrics, /healthz, and /stats are excluded to reduce noise from legitimate observability tooling.

Detection logic

kubernetes.audit.objectRef.subresource:"proxy" and
kubernetes.audit.objectRef.resource:"nodes" and
not kubernetes.audit.requestURI:(*metrics* or *healthz* or *stats/summary* or *elastic-agent* or *configz*) and
not user.name:(
  system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:serviceaccount\:kube-system\:* or
  system\:node\:* or
  eks\:* or aksService
)