---
title: Kubernetes Service Account Created in Kube Namespace
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Kubernetes Service Account Created in
  Kube Namespace
---

# Kubernetes Service Account Created in Kube Namespace
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1136-create-account](https://attack.mitre.org/techniques/T1136) 
## Goal{% #goal %}

Detect when a user is creating a service account in one of the Kubernetes default namespaces.

## Strategy{% #strategy %}

This rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.

The only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.

The `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.

## Triage and response{% #triage-and-response %}

Determine if the user should be creating this new service account in one of the default namespaces.

## Changelog{% #changelog %}

- 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.
- 17 October 2022 - Updated tags.
- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
- 17 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
- 19 November 2024 - Updated detection query to exclude token creation.