A Kubernetes user was assigned cluster administrator permissions
Set up the kubernetes integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Identify when a Kubernetes user is assigned cluster-level administrative permissions.
Strategy
This rule monitors when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.
Triage and response
- Determine if the Kubernetes user referenced in
@requestObject.subjects is expected to have been granted administrator permissions on the cluster - Determine if the actor (
@usr.id) is authorized to assign administrator permissions - Use the Cloud SIEM
User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.
Changelog
- 20 September 2022 - Updated tags.
- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
- 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
