Skip to main content

K8s Audit Log Cluster Role With Pod Write

This alert occurs when Lacework detects the creation of a cluster role that grants write permission to pods.

Why this alert is important

With this permission, a user can perform various actions, including:

  • Create new pods with specific configurations and deploy them within the cluster.
  • Make changes to the configuration of existing pods, such as updating environment variables, resource limits, or networking settings.
  • Delete pods.
  • Scale pods.
  • Modify pod status and metadata.
  • Attach storage volumes.
  • Execute commands inside pods.

Investigation

Follow these steps to investigate the alert:

  1. Check the audit logs for activities related to creating or modifying cluster roles. Pay attention to the user or service account associated with these activities. Look for entries that indicate the creation or modification of roles with permissions to write to pods.
  2. Examine the RBAC (Role-Based Access Control) configurations in your Kubernetes cluster. Verify the existing cluster roles and their associated permissions. Specifically, look for roles that grant write permission to pods.
  3. If you use version control systems like Git to manage your Kubernetes configurations, inspect the history and changes to RBAC files. Analyze the commits and review who made the changes. Look for any recent changes introducing or modifying cluster roles that grant write permission to pods.
  4. Assess the access controls and authentication mechanisms in your Kubernetes cluster. Identify who has the privileges to create or modify cluster roles. Look for any unauthorized or suspicious users or service accounts with such permissions. Cross-reference this information with the RBAC configurations to identify potential discrepancies.
  5. Engage with your team members, particularly those responsible for managing RBAC configurations and access controls. Inquire about recent changes or updates to cluster roles granting write permission to pods. Discuss the purpose and intention behind these changes and verify if they align with your organization's policies and requirements.

Resolution

Follow these steps to resolve the alert:

  1. If the cluster role was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized cluster role, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.