Skip to main content

K8s Audit Log Ingress Created

This alert occurs when Lacework detects an ingress was created.

In Kubernetes, an ingress is an API object that manages external access to services running within the cluster. It serves as a Kubernetes resource that allows you to define rules for routing incoming traffic to specific services based on criteria such as the hostname, path, or request headers.

Why this alert is important

By monitoring the creation of ingress resources, you can identify any unauthorized or suspicious access points to your cluster services, mitigating the risk of accidental exposure to internal services or containers. Detecting unexpected or unauthorized Ingresses enables early detection of potential security breaches or attempts to improperly expose services improperly, bolstering the overall security of your cluster.

Investigation

Follow these steps to investigate the alert:

  1. Collect logs from the Kubernetes control plane, cluster components, and relevant monitoring systems. This may include audit logs, container logs, Ingress controller logs, and any other logs that capture relevant activities.
  2. Search for events related to the creation of Ingress resources. Look for logs, alerts, or notifications indicating the creation or modification of Ingress objects within the cluster.
  3. Examine the Kubernetes API server or configuration management system to inspect the Ingress configurations. Look for any recently created or modified Ingress resources and analyze their specifications, including hostnames, paths, and backend services.
  4. Assess the permissions and access control settings in your cluster. Identify the users or service accounts with the privileges to create or modify Ingress resources. Review their roles, role bindings, or RBAC settings to determine if there are any unauthorized or misconfigured access permissions.
  5. Monitor network traffic within the cluster to identify suspicious connections or communication related to the Ingress creation. Analyze network logs, traffic flows, or packet captures to trace the source and destination of traffic associated with the Ingress resources.
  6. Investigate the users or systems associated with the creation of the Ingress resources. Identify the entities responsible and review their permissions, access history, and any recent changes to their roles or privileges. Look for any anomalous activities or potential indicators of compromise.

Resolution

Follow these steps to resolve the alert:

  1. Identify the malicious Ingress resource and disable or remove it from your cluster.
  2. Evaluate the potential impact of the malicious Ingress creation. Assess the affected services and data to understand the extent of the compromise. Determine if any unauthorized access or data breaches have occurred as a result.
  3. Treat the situation as a security incident and follow your organization's incident response plan. Activate your incident response team and involve relevant stakeholders such as security personnel, system administrators, and legal or compliance teams.
  4. Perform a thorough investigation to understand the root cause of the malicious Ingress creation. Analyze logs, audit trails, and any available evidence to identify how the unauthorized Ingress was created and any associated activities or indicators of compromise.
  5. Take steps to remediate the issue and prevent similar incidents in the future. This may involve:
    • Patch or fix vulnerabilities that were exploited to create the malicious Ingress.
    • Review and adjust access control settings, roles, and permissions to prevent unauthorized Ingress creations.
    • Implement stronger security measures such as network policies, intrusion detection systems, or security auditing tools.
    • Update security practices and training to raise awareness among users and administrators about the importance of secure Ingress management.
  6. Inform relevant stakeholders, including management, affected teams, customers, or regulatory authorities, about the incident as required by your organization's policies and legal obligations.
  7. Continuously monitor your cluster for any suspicious activities or further unauthorized Ingress creations. Conduct a post-incident review to identify lessons learned, update security controls, and improve incident response procedures.