I think it's a bit disappointing how unsophisticated these cryptominer attackers are. If you have the ability to spawn arbitrary Docker containers, you can get root privileges on the host -- which would make tools like this one (which as far as I can tell only measures container network traffic) useless.
The real solution is to stop exposing access to Docker (or Kubernetes without any RBAC rules) to the open internet.
I agree that appropriate configuration/policy management is part of the solution for preventing these attacks on Kubernetes, but our view is that monitoring also plays an important role.
I should've said "limited in usefulness for detecting moderately-clever attackers" rather than just flat-out "useless". Monitoring is obviously a useful tool regardless of whether it will always help you detect attackers in your network. You could use nf_conntrack on the host as well but that could also be bypassed by a root process on the host.
The real solution is to stop exposing access to Docker (or Kubernetes without any RBAC rules) to the open internet.