Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
Someone created a static Pod in your GKE cluster.
Static Pods run directly on the node and bypass the Kubernetes API server,
which make them more difficult to monitor and control. This could be used by
attackers to evade detection or maintain persistence.
How to respond
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
To respond to this finding, do the following:
Review the static Pod's manifest file and its purpose. Verify that it is
legitimate and necessary.
Evaluate if the static Pod's functionality can be achieved through a
regular Pod managed by the Kubernetes API server.
If the static Pod is required, ensure that it follows security best
practices and has minimal privileges.
Monitor the static Pod's activity and its impact on your cluster.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nSomeone created a static Pod in your GKE cluster.\nStatic Pods run directly on the node and bypass the Kubernetes API server,\nwhich make them more difficult to monitor and control. This could be used by\nattackers to evade detection or maintain persistence.\n\nHow to respond\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nTo respond to this finding, do the following:\n\n1. Review the static Pod's manifest file and its purpose. Verify that it is legitimate and necessary.\n2. Evaluate if the static Pod's functionality can be achieved through a regular Pod managed by the Kubernetes API server.\n3. If the static Pod is required, ensure that it follows security best practices and has minimal privileges.\n4. Monitor the static Pod's activity and its impact on your cluster.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
