How to execute Incident Response script on Kubernetes node using EDR agent in a privileged pod.

Incident Response on AWS EC2 instance is easy. You need remote access and you just execute Incident Response script. What about EC2 instance hosting Kubernetes node without remote access to host OS? We can use privileged pod with host filesystem mounted.

CONTAINERD=$(ps aux | grep -c “/usr/bin/containerd-shim-runc-v2”)
INSIDE_PRIV_CONTAINER=0
[ $CONTAINERD -gt 0 ] && [ ! -f /usr/bin/containerd-shim-runc-v2 ] && INSIDE_PRIV_CONTAINER=1
## If we see container processes, but the binary is not present
## on fs - it means that we are in a container
echo “InsidePrivilegedContainer=$INSIDE_PRIV_CONTAINER”
MODE=$1
if [ $INSIDE_PRIV_CONTAINER -gt 0 ]; then
COOKIE=$(dd if=/dev/random bs=32 count=1 status=none | sha1sum -b | cut -d” “ -f1)
mkdir /root/$COOKIE
## We created a unique directory here
## Having access to the host fs we are going to find our container
MYDIR=$(find /host/var/lib -name $COOKIE -type d 2>/dev/null | tail -n 1)
echo “Doing inception into $MYDIR, will chroot there”
MYDIR=${MYDIR:5}
cat “$0” > /root/$COOKIE/ir.sh
## We need to have access to /proc/kcore on host
## which is /host/proc/kcore
## We change root just for IR script and execute it
chroot /host /bin/bash -c “chmod +x $MYDIR/ir.sh; $MYDIR/ir.sh $MODE”
exit 0
fi
... usual actions

Should EDR detect container escape in the script above? Definitely. Scripts executed by EDR should be whitelisted.