Skip to main content

New K8s Namespace

This alert occurs when Lacework detects a new Kubernetes namespace was created within a Kubernetes cluster.

Why this alert is important

A namespace is a virtual cluster within a Kubernetes cluster, used to isolate resources and applications logically. Namespaces provide a way to organize and partition resources and enforce access control and resource quotas.

The creation of a new Kubernetes namespace can be a normal and expected operation in a Kubernetes environment, but it can also indicate a potential security risk if an unauthorized or malicious user creates the namespace.

Investigation

Follow these steps to investigate the alert:

  1. Collect information about the created namespace, including the name, creation time, and associated labels or annotations.
  2. Review the Kubernetes access controls to determine if the user who created the namespace had the appropriate permissions. Check if any roles or role bindings have been recently modified, which could have granted the user additional privileges.
  3. Check the Kubernetes API server logs and any relevant container logs or system logs to identify any suspicious activity or unauthorized access.
  4. Analyze network traffic to and from the Kubernetes cluster to identify unusual or suspicious traffic patterns.
  5. Scan the namespace and associated resources for any signs of malware or malicious code.
  6. Review Kubernetes audit logs to determine if any unauthorized actions were taken within the cluster.
  7. If a legitimate user created the namespace, follow up with them to determine the reason for the creation and ensure they had the appropriate permissions.

Resolution

Resolving a malicious new K8s namespace involves taking the following steps:

  1. Disable the namespace.
  2. Isolate the namespace by removing it from critical systems, networks, or applications.
  3. Investigate the namespace for any malicious deployments or unauthorized access. Review the namespace for abnormal or suspicious behavior, and identify unauthorized access or modifications.
  4. Remove any malicious deployments from the namespace and take steps to ensure that the namespace cannot be used to launch any further attacks.
  5. Investigate the root cause of the malicious new K8s namespace and determine how the attacker gained access. Check for any weaknesses in the Kubernetes environment, such as insecure configurations or misconfigured access controls.
  6. Remediate any vulnerabilities that allowed the attacker to gain access and take steps to improve the security of the Kubernetes environment. This may include implementing security best practices, such as enabling RBAC (role-based access control), enforcing network segmentation, and regular vulnerability scanning and patching.