A Kubernetes user was assigned cluster administrator permissions
Set up the kubernetes integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Identify when a Kubernetes user is assigned cluster-level administrative permissions.
Strategy
This rule monitors when a ClusterRoleBinding
object is created to bind a Kubernetes user to the cluster-admin
default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.
Triage and response
- Determine if the Kubernetes user referenced in
@requestObject.subjects
is expected to have been granted administrator permissions on the cluster - Determine if the actor (
@usr.id
) is authorized to assign administrator permissions - Use the Cloud SIEM
User Investigation
dashboard to review any user actions that may have occurred after the potentially malicious action.
Changelog
- 20 September 2022 - Updated tags.
- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
- 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.