Kubernetes Service Account Created in Kube Namespace

Set up the kubernetes integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Detect when a user is creating a service account in one of the Kubernetes default namespaces.


This rule monitors when a create (@http.method:create) action occurs for a service account (@objectRef.resource:serviceaccounts) within either of the kube-system or kube-public namespaces.

The only users creating service accounts in the kube-system namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the kube-system namespace.

The kube-public namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the kube-public namespace.

Triage and response

Determine if the user should be creating this new service account in one of the default namespaces.


  • 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.
  • 17 October 2022 - Updated tags.
  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.