Kubeflow Service Account Key
Service Name: Kubeflow
Service Description: Kubeflow is an open-source machine learning platform designed to make deployments of ML workflows on Kubernetes simple, portable, and scalable. It provides a straightforward way to deploy best-of-breed open-source systems for ML to diverse infrastructures.
Service Address: https://www.kubeflow.org/
Validation Type: API Auth
IP Allow list: IP restrictions can be implemented at the Kubernetes cluster level using Network Policies or through the cloud provider's security groups if running on cloud infrastructure.
Secret Access Scope: Grants programmatic access to Kubeflow resources and services within a Kubernetes cluster. Depending on the permissions assigned to the service account, it may allow management of pipelines, notebooks, training jobs, and other ML workloads.
Secret Revokement URL: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#delete-a-service-account
Secret Example: Kubeflow Service Account Key
Suspicious Activity Investigation Instructions:
- Review Kubernetes audit logs for unusual API calls or resource access.
- Check for unauthorized access to Kubeflow pipelines, notebooks, or other resources.
- Monitor for unusual job submissions or resource creation in the Kubeflow environment.
- Examine network traffic patterns for unusual data transfers or API calls.
- Review cloud provider logs if Kubeflow is deployed on a cloud platform.
Mitigation Instructions:
- Immediately revoke the compromised service account key by deleting the service account or rotating its credentials.
- For GCP-based Kubeflow deployments:
- Navigate to the Google Cloud Console IAM section.
- Locate the service account and disable or delete it.
- Create a new service account with appropriate permissions if needed.
- For Kubernetes-based deployments:
- Use
kubectl delete serviceaccount <account-name> -n <namespace>to remove the compromised service account. - Create a new service account with appropriate RBAC permissions.
- Review and update RBAC policies to enforce the Principle of Least Privilege.
- Implement network policies to restrict service account access to only necessary resources.
- Enable audit logging for all Kubeflow components to better monitor future activity.