Skip to main content

K8s Audit Log Role With Pod Write

This alert occurs when Lacework detects the creation of a role that grants write permission to pods.

Why this alert is important

If an unauthorized user or entity creates a role that grants write permission to pods, they can potentially modify or manipulate the behavior of running pods. This can lead to data breaches, unauthorized access to sensitive information, or disruption of critical services.

Investigation

Follow these steps to investigate the alert:

  1. Check the Kubernetes audit logs to identify any relevant events or activities related to creating the suspicious role. Look for log entries indicating role creation, modification, or unauthorized access attempts. Pay specific attention to events related to role bindings and their associated permissions.
  2. Review your Kubernetes cluster's Role-Based Access Control (RBAC) configuration to understand the existing roles, role bindings, and permissions. Compare the authorized roles with the suspicious role to determine if it is legitimate or unauthorized. Look for inconsistencies, unexpected modifications, or suspicious associations with pods, users, or service accounts.
  3. Investigate the RBAC objects (Role and RoleBinding) associated with the suspicious role. Look for inconsistencies, unexpected modifications, or suspicious references to pods, users, or service accounts. Analyze the relationships between these objects to identify any potential malicious activity.
  4. Inspect the configurations of pods and deployments that are associated with the suspicious role. Look for any unauthorized modifications or changes that could indicate the use of the role's written permission. Check for anomalies in container images, command configurations, or volume mounts.
  5. Speak with the administrators, developers, or users who have access to create roles and role bindings. Obtain information about their activities, intentions, and any recent changes they have made. This can help identify any potential authorized actions that may have been misinterpreted as unauthorized.
  6. Involve your security and incident response teams to gather additional insights and expertise. They can assist in analyzing the logs, conducting forensic investigations, and providing guidance on security best practices to prevent similar incidents in the future.

Resolution

Follow these steps to resolve the alert:

  1. If the role was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized role, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.