PS Product SecurityKnowledge Base

Runtime Investigation Command Pack

Use carefully: These commands are meant to help an investigator preserve context, not blindly alter a live environment.

Cluster and workload inventory

kubectl get pods -A -o wide
kubectl get deploy,statefulset,daemonset -A
kubectl get jobs,cronjobs -A
kubectl get nodes -o wide

Pod preservation

kubectl get pod <pod> -n <ns> -o yaml > suspect-pod.yaml
kubectl describe pod <pod> -n <ns> > suspect-pod.describe.txt
kubectl get events -n <ns> --sort-by=.lastTimestamp > suspect-events.txt

Logs

kubectl logs <pod> -n <ns> --all-containers=true > suspect-logs.txt
kubectl logs <pod> -n <ns> --all-containers=true --previous > suspect-logs-previous.txt

Identity and access scope

kubectl get sa <service-account> -n <ns> -o yaml
kubectl auth can-i --as=system:serviceaccount:<ns>:<service-account> --list -n <ns>
kubectl get rolebinding,clusterrolebinding -A | grep -E '<service-account>|<ns>'

Safe debugging

kubectl debug <pod> -n <ns> -it --image=busybox --target=<container>
kubectl debug <pod> -n <ns> -it --copy-to=<pod>-debug --image=ubuntu
kubectl debug node/<node> -it --image=busybox

Node-level examples

# common tools vary by distro and container runtime
chroot /host
crictl ps
crictl inspect <container-id>
crictl images
ps auxf
ss -plant
journalctl --since '2 hours ago'