<  Back to rules search

A Kubernetes user was assigned cluster administrator permissions





Set up the kubernetes integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Identify when a Kubernetes user is assigned cluster-level administrative permissions.


This rule monitory when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

  1. Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
  2. Determine if the actor (@usr.id) is authorized to assign administrator permissions
  3. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.


20 September 2022 - Updated tags.