Skip to main content

K8s Audit Log Cluster Role Created

This alert occurs when Lacework detects a new Kubernetes cluster role was created.

In Kubernetes, a cluster role is a set of permissions that define how a user, group, or service account can interact with the Kubernetes API server. It is a way to grant access to specific resources and operations within the cluster, such as creating or deleting pods, services, or nodes.

Why this alert is important

If an unauthorized user or service account gains access to a cluster role, they could potentially perform actions that could compromise the cluster's security, such as stealing sensitive data or modifying critical resources.

Investigation

Follow these steps to investigate the alert:

  1. Determine who created the new cluster role by looking at the audit logs. This will help you identify if it was created by an authorized user or an attacker who has gained unauthorized access.
  2. Review the role's permissions to determine if it has been granted excessive privileges or if it grants access to sensitive resources. Compare the permissions to those of other roles in the cluster to identify any inconsistencies.
  3. Check for any suspicious activity associated with the new role, such as unauthorized access or changes to other resources in the cluster. Look for any indications of data exfiltration or attempts to gain persistence.

Resolution

Follow these steps to resolve the alert:

  1. Revoke the role using the kubectl command-line tool.
  2. Review existing security policies to ensure they are adequate and effective. This includes reviewing RBAC policies, network policies, and other security configurations to identify potential vulnerabilities.
  3. Take steps to remediate any exploited vulnerabilities to create the unauthorized role. This may involve patching software, updating security configurations, or revising security policies.
  4. Implement continuous monitoring to detect any further unauthorized access or suspicious activity incidents. This includes monitoring Kubernetes audit logs, access logs, and network activity to detect potential security breaches.
  5. Inform relevant stakeholders, including the security team, IT team, and management, about the incident and the steps taken to remediate it. This ensures that everyone is aware of the situation and can take appropriate measures to prevent similar incidents in the future.