Skip to main content

K8s Audit Log Role With Secrets

This alert occurs when Lacework detects the creation of a role that grants access to all secrets within a namespace.

Why this alert is important

Secrets in Kubernetes often contain sensitive information such as API keys, passwords, and certificates. If a role is created that grants access to all secrets within a namespace, it can potentially allow unauthorized individuals or applications to retrieve sensitive data. Detecting such roles is crucial to prevent unauthorized access and data breaches.

Investigation

Follow these steps to investigate the alert:

  1. Review the Kubernetes audit logs for relevant entries related to role creations or modifications within the namespace of interest.
  2. Search for the specific Role and RoleBinding objects associated with the namespace. These objects are typically defined in the Kubernetes configuration files or managed through the Kubernetes API.
  3. Pay close attention to the permissions and rules defined within the role. Look for any indications of access to secrets within the namespace.
  4. Determine which users or service accounts are associated with the role. Investigate their activity and access patterns. Look for suspicious or unauthorized access attempts related to secrets within the namespace.
  5. Verify that the role adheres to the principle of least privilege. Ensure that access is only granted to the necessary entities and that unnecessary or excessive privileges are not present.
  6. Examine the RoleBinding objects associated with the namespace. Ensure the correct role is bound to the appropriate users or service accounts. Look for any unauthorized or suspicious role bindings.
  7. Utilize monitoring and logging systems to analyze the historical data or audit trail. Look for any indications of unauthorized role creations or suspicious activities related to secret access within the namespace.

Resolution

Follow these steps to resolve the alert:

  1. If the role was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized role, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.