Skip to main content

K8s Audit Log Role With All Resources

This alert occurs when Lacework detects the creation of a role that grants full access to all namespace-level resources.

Why this alert is important

With this role, a user, group, or service account can manipulate and manage any resource within the namespace, including pods, services, config maps, secrets, deployments, and more.

Investigation

Follow these steps to investigate the alert:

  1. Check the Kubernetes audit logs to identify any relevant events or activities related to the role-binding creation. Look for log entries that indicate role-binding creations, modifications, or unauthorized access attempts. The audit logs can provide valuable information about who performed the action and when it occurred.
  2. Review the Kubernetes cluster's Role-Based Access Control (RBAC) configuration to understand the existing role bindings. Compare the authorized role bindings with the suspicious role binding to determine if it is legitimate or unauthorized. Look for inconsistencies, unexpected modifications, or suspicious associations with users or service accounts.
  3. Collect information about the suspicious role binding, such as its name, associated user or service account, and other available details. Note any suspicious or anomalous behavior associated with the role binding, such as unusual permissions or naming conventions.
  4. Investigate the RBAC objects (Role, RoleBinding, ClusterRole, ClusterRolebinding) associated with the suspicious role binding. Look for inconsistencies, unexpected modifications, or suspicious references to users or service accounts. Analyze the relationships between these objects to identify any potential malicious activity.
  5. Review the cluster-wide role bindings to identify any suspicious role bindings that grant excessive privileges or have conflicting permissions. These can be indicators of a maliciously created role binding.
  6. Determine the source of the unauthorized role-binding creation. It could be an external attacker, a compromised account, or an insider with unauthorized access. Investigate the intent behind creating the role binding and identify the root cause, such as misconfigured permissions, vulnerabilities, or social engineering.