Skip to main content

K8s Audit Log Cluster Role Binding Created

This alert occurs when Lacework detects a cluster role binding was created.

In Kubernetes, a cluster role binding is a way to bind a cluster role to a user or group, granting them permission to access and perform specific actions on cluster-wide resources. When a new cluster role binding is created, it grants permissions to the specified user or group, allowing them to perform actions on the resources specified in the cluster role.

Why this alert is important

Detecting a new cluster role binding is important because it could potentially grant unauthorized access to resources within a Kubernetes cluster, allowing an attacker to perform malicious activities or extract sensitive information.

Investigation

Follow these steps to investigate the alert:

  1. Determine the origin and creator of the new cluster role binding. If it was created by an unknown user or a user with a suspicious history, investigate further.
  2. Review the permissions granted by the new cluster role binding. Check if they are excessive or not aligned with the user's job function. If the permissions granted exceed what is necessary, it could indicate malicious intent.
  3. Analyze the workload of the affected cluster to identify any suspicious activity. Check if any new containers or pods were recently deployed that could be responsible for creating the new cluster role binding.
  4. Monitor for unusual activity in the affected cluster. This can help detect any suspicious behavior early on and prevent further damage.
  5. Consult with security experts to get their opinion on the situation. They can help identify potential risks and guide how to mitigate them.

Resolution

Follow these steps to resolve the alert:

  1. Delete the unauthorized cluster role binding immediately to prevent unauthorized access or activity.
  2. Reset the credentials of any users who may have been involved in creating the unauthorized cluster role binding, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity. Implement additional security controls if necessary.
  5. Monitor the cluster closely for any unusual activity or attempts at unauthorized access.
  6. Consider implementing security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.
  7. If the situation warrants it, involve law enforcement or other relevant authorities to investigate the incident and take legal action against any responsible parties.