One day I came up with the idea to check all pods/containers in my k8s cluster for malicious activity.
For this purpose I wrote a simple operator that runs the ps command on each node in search of some known names (e.g. xmrig, miner), and if a given process name is found, the node is reported to a result.
Of course the approach is quite naive, it's just a POC. A production-grade solution would be to inject eBPF program in a cgroup associated with the group of target pods.
https://github.com/Zensey/process-scanner-operator
