<  Back to rules search

A Kubernetes user was assigned cluster administrator permissions

kubernetes

Set up the kubernetes integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Identify when a Kubernetes user is assigned cluster-level administrative permissions.

Strategy

This rule monitory when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

  1. Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
  2. Determine if the actor (@usr.id) is authorized to assign administrator permissions
  3. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.