K8s Audit Log Namespace Created

This alert occurs when Lacework detects a namespace was created.

Why this alert is important

Monitoring namespace creation helps ensure the security of your Kubernetes cluster. The unauthorized creation of namespaces can indicate malicious activity or a potential security breach.

Investigation

Follow these steps to investigate the alert:

1. Gather logs from the Kubernetes control plane, including the API server logs and other relevant logging systems or tools. These logs may provide information about namespace creation events or any associated activities.
2. Audit logs can be valuable sources of information regarding namespace creations. Analyze the audit logs to identify any recorded events related to namespace creation, modifications, or deletions. Look for relevant timestamps, the user or service account information, and any other details that can help trace the creation of the namespace.
3. Inspect the Kubernetes API server or utilize relevant command-line tools to query and inspect the state of namespaces. Look for recently created namespaces and examine their specifications, including metadata, labels, and associated resources. Pay attention to any anomalies or inconsistencies in the namespace configurations.
4. Identify the users or service accounts with the necessary permissions to create namespaces. Assess whether the creation of the namespace aligns with the assigned permissions of the user or service account. Review the relevant roles, role bindings, or RBAC (Role-Based Access Control) settings to determine if any unauthorized access or misconfigurations exist.
5. Monitor network traffic within the cluster to identify any suspicious connections or communication related to the namespace creation. Analyze network logs, traffic flows, or packet captures to trace the source and destination of traffic associated with the namespace creation event. Look for any unusual patterns or unexpected network activity.
6. If you have a change management or incident tracking system in place, cross-reference the namespace creation event with any related change requests or incident reports. This can provide additional context and help identify any authorized or unauthorized changes.

Resolution

Follow these steps to resolve the alert:

1. Disable or remove the malicious namespace from your Kubernetes cluster. Take necessary precautions to ensure that any associated resources, such as deployments, services, or pods, are terminated or cleaned up.
2. Treat the situation as a security incident and follow your organization's incident response plan. Activate your incident response team and involve relevant stakeholders, such as security personnel, system administrators, and legal or compliance teams.
3. Conduct a thorough investigation to understand the root cause of the malicious namespace creation. Analyze logs, audit trails, and any available evidence to identify how the unauthorized namespace was created and any associated activities or indicators of compromise.
4. Take steps to remediate the issue and prevent similar incidents in the future, including:
   • Patch or fix vulnerabilities that were exploited to create the malicious namespace.
   • Review and adjust access control settings, roles, and permissions to prevent unauthorized namespace creations.
   • Implement stronger security measures, such as network policies, container security solutions, or intrusion detection systems. -cUpdate security practices and provide training to raise awareness among users and administrators about the importance of secure namespace management.
5. Inform relevant stakeholders, including management, affected teams, customers, or regulatory authorities, about the incident as required by your organization's policies and legal obligations.
6. Continuously monitor your cluster for any suspicious activities or other unauthorized namespace creations. Conduct a post-incident review to identify lessons learned, update security controls, and improve incident response procedures.