K8s Audit Log Role Binding Created

This alert occurs when Lacework detects a role binding was created. A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted.

Why this alert is important

If a malicious actor creates a role binding without proper authorization, they may gain unauthorized access to resources, manipulate or steal sensitive data, or disrupt the cluster's operations. Detecting such unauthorized role-binding creations helps ensure that only legitimate users have appropriate access privileges.

Investigation

Follow these steps to investigate the alert:

1. Review your Kubernetes cluster's role bindings to identify any unusual or unauthorized role bindings. Look for inconsistencies in naming conventions, unexpected permissions, or associations with unknown users or service accounts.
2. Collect information about the suspicious role binding, such as its name, associated user or service account, and other available details. Note any suspicious or anomalous behavior associated with the role binding. Review the Kubernetes audit logs to identify any relevant events or activities related to the creation of the suspicious role binding. Look for log entries that indicate role-binding creations, modifications, or unauthorized access attempts.
3. Examine your Kubernetes cluster's Role-Based Access Control (RBAC) configuration to understand the existing role bindings, roles, and service accounts. Compare the suspicious role binding with authorized role bindings to determine its legitimacy.
4. Investigate the RBAC objects (Role, RoleBinding, ClusterRole, ClusterRoleBinding) associated with the suspicious role binding. Look for inconsistencies, unexpected modifications, or suspicious references to users or service accounts.
5. Check the cluster-wide role bindings to identify any suspicious role bindings that grant excessive privileges or have conflicting permissions. These can indicate a maliciously created role binding.
6. Look for relevant events or log entries related to creating or modifying RBAC objects. Check container logs, system logs, and other relevant logs to identify suspicious activities or anomalies.
7. Identify the source of the malicious role-binding creation. It could be an external attacker, a compromised account, or an insider with unauthorized access. Determine the intent behind creating the role binding and investigate the root cause, such as misconfigured permissions, vulnerabilities, or social engineering.

Resolution

Follow these steps to resolve the alert:

1. Disable or remove the unauthorized role binding from your Kubernetes cluster. Take necessary actions to ensure that any associated permissions or access granted by the role binding are revoked.
2. Investigate and identify the source of the unauthorized role-binding creation. Determine whether it was due to a compromised account, misconfigured permissions, or other security vulnerabilities. This step will help you address the root cause of the issue.
3. Review your Kubernetes RBAC configuration and ensure it aligns with the principle of least privilege. Remove unnecessary role bindings or service accounts to reduce the attack surface.
4. Strengthen security measures by implementing multi-factor authentication (MFA) for user accounts, regularly updating and patching your Kubernetes cluster, and conducting security audits and assessments.
5. Monitor your Kubernetes cluster for further unauthorized role-binding creations or suspicious activities. Implement logging and monitoring solutions to detect and alert potential security breaches.
6. Consider implementing a change management process that includes reviewing and approving any role-binding creations or modifications before they are applied to the production environment.
7. Keep your Kubernetes cluster and associated components up to date with the latest security patches and updates. Regularly review and apply security best practices recommended by the Kubernetes community and relevant security resources.