Container and Kubernetes Incident Response
Container and Kubernetes Incident Response
Container environments require specialized approaches:
Container Forensics:
# Save container for analysis
docker commit suspicious-container incident-image
docker save incident-image > container_evidence.tar
# Inspect container filesystem
docker diff suspicious-container
# Extract container logs
docker logs suspicious-container > container_logs.txt
kubectl logs pod-name -n namespace --previous
Kubernetes Incident Response:
# Network Policy for isolation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: isolate-compromised-pod
spec:
podSelector:
matchLabels:
quarantine: "true"
policyTypes:
- Ingress
- Egress