A Kubernetes user was assigned cluster administrator permissions

kubernetes

Classification:

attack

Tactic:

TA0004-privilege-escalation

Set up the kubernetes integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Identify when a Kubernetes user is assigned cluster-level administrative permissions.

Strategy

This rule monitors when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

  1. Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
  2. Determine if the actor (@usr.id) is authorized to assign administrator permissions
  3. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

  • 20 September 2022 - Updated tags.
  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: andrea.moscatelli/clarify-argocd-notifications-service