Runtime Protection
Kupe Cloud monitors every running workload for runtime security threats. You do not need to install anything. Results appear in your console under Security > Runtime.
What’s Monitored
Section titled “What’s Monitored”| Threat | What It Detects | Action |
|---|---|---|
| Container escape | Processes attempting to break out of container isolation | Blocked — process terminated immediately |
| Reverse shell | Shell processes making outbound network connections | Detected and alerted |
| Privilege escalation | Processes changing user/group identity to gain elevated access | Detected and alerted |
| Sensitive file access | Access to password files, Kubernetes secrets, or certificates | Detected and alerted |
| Capability abuse | Processes granting themselves dangerous Linux capabilities | Detected and alerted |
| Host access | Containers accessing host infrastructure paths | Detected and alerted |
Container escapes are the only threat currently enforced (blocked). All other threats are detected — the platform logs the event and surfaces it in the console, but does not terminate the process. This avoids false positives disrupting legitimate workloads while still giving you visibility.
Viewing Runtime Events
Section titled “Viewing Runtime Events”Navigate to Security > Runtime in the console sidebar. The Runtime page shows:
- Detection type — what was detected (e.g., “Reverse Shell”, “Privilege Escalation”)
- Severity — critical or warning
- Event count — how many times this was detected in the last 24 hours
- Action — whether the platform blocked the process or only detected it
If the page shows “No runtime security events in the last 24 hours”, your workloads have not triggered any security detections — this is the expected state for healthy applications.
How It Works
Section titled “How It Works”Kupe continuously monitors workload activity and matches it against known runtime threat patterns. When a threat is detected, Kupe takes action:
- Container escapes are stopped immediately before the escape can succeed. Your container will see the offending process terminated with a signal.
- Other threats are logged and appear in the console within minutes. Your workload continues running — the detection is informational.
What You Should Do
Section titled “What You Should Do”Check the Runtime page periodically, especially after deploying new workloads or third-party images.
| Event Type | Recommended Action |
|---|---|
| Container escape (blocked) | Investigate immediately. Something in your container attempted to break out of isolation. Check the image for compromise. |
| Reverse shell | Critical — a process in your container is making outbound connections from a shell. Likely indicates compromise. Investigate the affected pod and image. |
| Privilege escalation | Check if your application legitimately needs to change user identity. If not, the image may contain unexpected binaries. |
| Sensitive file access | Verify your application needs access to the reported file. Access to /etc/shadow or service account tokens from application code is unusual. |
| Capability abuse | Review your container’s security context. Applications should not need to grant themselves additional Linux capabilities at runtime. |
Enforcement Policy
Section titled “Enforcement Policy”Container escape attempts are the only runtime threat currently blocked by the platform. Other detections operate in monitoring mode to avoid false positives interrupting healthy workloads. Additional threats may be promoted to enforcement over time.
Runtime protection is enabled on managed clusters.
Related
Section titled “Related”- Vulnerability Scanning — CVE scanning, compliance, and SBOMs
- Cluster Policies — admission-time policy enforcement
- Container Security — security context requirements