This message was deleted.

Zero-drift may help, assuming it is picking up what’s in the deployments.

Hi @quaint-candle-18606, thanks for your reply. I am talking about the policy group "nodes", not any deployments/pods. The 'nodes' group is automatically learned by NeuVector and contains all the worker nodes. I switched it to 'monitor' mode but I cannot enable Zero Drift (on another cluster I can enable Zero Drift, so there might be some restrictions on that cluster because NeuVector config is identical). Once in a while, a new process is run and I add it manually. I also see network rules created for stuff running on the node (outside containers). What is puzzling is also the process name '5' with path '/usr/sbin/runc' (another learned rule says 'runc' with path '/usr/sbin/runc'). I am just wondering, if I should set this policy group to discover and ignore it or if there is a real benefit of monitoring node processes. Sure, if someone is messing with the node, I would notice and could ask the responsible person to investigate (most likely it was them anyway).