Skip to main content

K8s Audit Log Cluster Role With All Resources

This alert occurs when Lacework detects the creation of a cluster role that grants full access to all cluster-level resources.

Why this alert is important

With this role, a user, group, or service account can manipulate and manage any resource within the cluster, including pods, services, config maps, secrets, deployments, and more. This level of access can have significant security implications, as it grants broad control over the cluster's infrastructure and workloads.

Why this alert is important

With this role, a user, group, or service account can manipulate and manage any resource within the cluster, including pods, services, config maps, secrets, deployments, and more. This level of access can have significant security implications, as it grants broad control over the cluster's infrastructure and workloads.

Investigation

Follow these steps to investigate the alert:

  1. Check the Kubernetes audit logs to identify any relevant activities related to creating the cluster role. The audit logs record API server requests and responses, providing details about who initiated the action and which resources were affected. Look for entries related to the creation of cluster roles with extensive privileges.
  2. Review the logs of the Kubernetes API server, which handles API requests. The API server logs may contain information about the user, timestamp, and actions performed, helping you identify the creation of the privileged cluster role. Look for any entries indicating the creation of cluster roles with broad access.
  3. Use the kubectl command-line tool to list and inspect cluster roles within the cluster. Run the following command to view the details of cluster roles, then look for any cluster roles that grant extensive privileges or have names indicating full access.
    kubectl get clusterroles
  4. Examine the RBAC (Role-Based Access Control) configuration in your Kubernetes cluster. Ensure that the RBAC policies are properly defined and follow the principle of least privilege. Review the roles and role bindings to identify any misconfigurations or overly permissive roles that may allow the creation of cluster roles with excessive access.
  5. Kubernetes generates events for various activities within the cluster. Check the events related to the creation of cluster roles by running the following command, then look for any events indicating the creation of cluster roles with broad access.
    kubectl get events
  6. Examine the Kubernetes configuration files used for cluster setup. Check for any explicit definitions of cluster roles that grant full access to cluster-level resources.

Resolution

Follow these steps to resolve the alert:

  1. If the cluster role was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized cluster role, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.