Skip to main content

K8s Audit Log Cluster Role With Secrets

This alert occurs when Lacework detects the creation of a cluster role that grants access to all secrets.

Why this alert is important

In Kubernetes, the secret object is used to store sensitive information securely. It is primarily designed to hold small pieces of confidential data, such as passwords, API tokens, and TLS certificates, that applications running within the cluster may need access to.

Granting unrestricted access to all secrets through a cluster role increases the risk of unauthorized access, data breaches, and potential compromise of sensitive information. Detecting such a creation allows organizations to promptly address the issue and mitigate the security risks associated with unrestricted access.

Investigation

Follow these steps to investigate the alert:

  1. Collect logs from the Kubernetes control plane, cluster components, and relevant security tools or systems. These logs may include audit logs, container logs, system logs, and any logs generated by access control or monitoring tools.
  2. Search for events related to the cluster role creation, role bindings change, or secret modifications. Look for suspicious or unexpected activities that indicate the cluster role creation with broad access to secrets.
  3. Examine the role bindings within your Kubernetes cluster to identify any bindings that provide access to secrets. Pay close attention to cluster-wide roles or roles that grant broad privileges across namespaces.
  4. Analyze the audit logs to trace the creation of the cluster role and the associated events. Look for abnormal patterns, such as privileged actions performed by unauthorized users or unusual timestamps indicating potential malicious activity.
  5. Investigate the users or systems associated with the creation of the cluster role. Identify the entities responsible and review their permissions, access history, and any recent changes to their roles or privileges.
  6. Monitor network traffic within the cluster to identify any suspicious connections or communications related to the cluster role creation. Analyze network logs and inspect endpoints for signs of compromise or unauthorized access attempts.

Resolution

Follow these steps to resolve the alert:

  1. If the cluster role was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized cluster role, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.