The following Kubernetes alerts are available:
| Event Generated by Rule | Description | Default Severity |
|---|---|---|
| New K8 Cluster | Detects a new K8 cluster launched. | Medium |
| New K8 Namespace | Detects a new K8 namespace launched from a K8 cluster. | High |
| New K8 Pod | Detects a new K8 pod launched from a K8 namespace. | Medium |
Lacework uses the Kubernetes cluster name and namespace as well as the Lacework pod_type to determine when to generate launch alerts.
Additional details about conditions for generating alerts:
- New cluster—Launching a new cluster.
- New namespace—Launching a new namespace.
- New pod—Launching a new pod_type.
Restarting a deleted pod does not generate a new pod alert if the pod_type remains the same.
The pod name and ID are not considered.
You can choose to suppress Kubernetes launch alerts. For more information, see Suppress Behavior Anomaly Alerts.