Container and Kubernetes Incident Response

Container and Kubernetes Incident Response

Container environments require specialized approaches:

Container Forensics:

# Save container for analysis
docker commit suspicious-container incident-image
docker save incident-image > container_evidence.tar

# Inspect container filesystem
docker diff suspicious-container

# Extract container logs
docker logs suspicious-container > container_logs.txt
kubectl logs pod-name -n namespace --previous

Kubernetes Incident Response:

# Network Policy for isolation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: isolate-compromised-pod
spec:
  podSelector:
    matchLabels:
      quarantine: "true"
  policyTypes:
  - Ingress
  - Egress