---
title: Kubernetes Pod Created in Kube Namespace
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Kubernetes Pod Created in Kube
  Namespace
---

# Kubernetes Pod Created in Kube Namespace
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1068-exploitation-for-privilege-escalation](https://attack.mitre.org/techniques/T1068) 
## Goal{% #goal %}

Detect when a user is creating a pod in one of the Kubernetes default namespaces.

## Strategy{% #strategy %}

This rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.

The only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.

The `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.

## Triage and response{% #triage-and-response %}

Determine if the user should be creating this new pod in one of the default namespaces.

## Changelog{% #changelog %}

- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
- 16 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.