< Back to rules searchA Kubernetes user was assigned cluster administrator permissions
Set up the kubernetes integration.
Goal
Identify when a Kubernetes user is assigned cluster-level administrative permissions.
Strategy
This rule monitory when a ClusterRoleBinding
object is created to bind a Kubernetes user to the cluster-admin
default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.
Triage and response
- Determine if the Kubernetes user referenced in
@requestObject.subjects
is expected to have been granted administrator permissions on the cluster - Determine if the actor (
@usr.id
) is authorized to assign administrator permissions - Use the Cloud SIEM
User Investigation
dashboard to review any user actions that may have occurred after the potentially malicious action.
Changelog
20 September 2022 - Updated tags.