A Kubernetes user was assigned cluster administrator permissions

Classification:

attack

Tactic:

TA0004-privilege-escalation

Set up the kubernetes integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Identify when a Kubernetes user is assigned cluster-level administrative permissions.

Strategy

This rule monitory when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
Determine if the actor (@usr.id) is authorized to assign administrator permissions
Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

20 September 2022 - Updated tags.