Kubernetes Service Account Created in Kube Namespace
Set up the kubernetes integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a user is creating a service account in one of the Kubernetes default namespaces.
Strategy
This rule monitors when a create (@http.method:create
) action occurs for a service account (@objectRef.resource:serviceaccounts
) within either of the kube-system
or kube-public
namespaces.
The only users creating service accounts in the kube-system
namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the kube-system
namespace.
The kube-public
namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the kube-public
namespace.
Triage and response
Determine if the user should be creating this new service account in one of the default namespaces.
Changelog
- 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.
- 17 October 2022 - Updated tags.
- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
- 17 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
- 19 November 2024 - Updated detection query to exclude token creation.