Skip to main content

New K8s Cluster

This alert occurs when Lacework detects a new Kubernetes cluster was created in your environment. Kubernetes is a popular container orchestration tool for managing containerized applications in a cluster environment.

Why this alert is important

A new Kubernetes cluster can introduce unknown security risks into an organization's environment. If the cluster is not properly configured or secured, it can be vulnerable to various attacks, such as data breaches, denial-of-service attacks, and other cyber threats.

Investigation

Follow these steps to investigate the alert:

  1. Collect relevant information about the incident. This may include the time and date the incident occurred, the name and details of the new cluster, and the user or entity that created it.
  2. Examine the configuration of the new cluster and identify any potential security risks. This may involve reviewing access controls, network policies, and other configuration settings.
  3. Evaluate the security posture of the new cluster by reviewing its security controls and assessing its vulnerability to potential threats. This may involve scanning for vulnerabilities and reviewing security logs and other relevant information.
  4. Identify any potential security risks or threats associated with the new cluster. This may include vulnerabilities in the container images or applications running in the cluster, misconfigured security controls, or unauthorized access.

Resolution

Follow these steps to resolve the alert:

  1. Immediately isolate the malicious cluster by disconnecting it from the network and disabling any access to it.
  2. Assess the extent of the damage caused by the malicious cluster, such as identifying any sensitive data that may have been compromised or any unauthorized access that may have occurred.
  3. Identify the attack source, such as the person or entity responsible for creating and deploying the malicious cluster.
  4. Remove the malicious cluster from the environment, including all associated resources, such as pods, services, and volumes.
  5. Implement appropriate security measures to prevent similar attacks from occurring in the future. This may include implementing access controls, network security policies, and vulnerability management processes.
  6. Notify relevant parties, such as internal teams or external customers, about the attack and the steps to mitigate it.
  7. Review your organization's policies and procedures for creating and managing Kubernetes clusters to ensure that they are followed and that appropriate security measures are in place.