Back to all scenarios
Scenario #273
Security
Kubernetes v1.24, GKE

Broken Container Escape Detection

A malicious container escaped to host level due to an unpatched kernel, but went undetected due to insufficient monitoring.

Find this helpful?
What Happened

A CVE affecting cgroups allowed container breakout. The attacker executed host-level commands and pivoted laterally across nodes.

Diagnosis Steps
  • 1Investigated suspicious node-level activity.
  • 2Detected unexpected binaries and processes running as root.
  • 3Correlated with pod logs that had access to /proc.
Root Cause

Outdated host kernel + lack of runtime monitoring.

Fix/Workaround
• Patched all nodes to a secure kernel version.
• Implemented Falco to monitor syscall anomalies.
Lessons Learned

Container escape is rare but possible—plan for it.

How to Avoid
  • 1Patch host OS regularly.
  • 2Deploy tools like Falco or Sysdig for anomaly detection.
Previous ScenarioNext Scenario