Kubernetes Cluster Credentials
Service Name: Kubernetes
Service Description: Kubernetes is an open-source container orchestration platform designed to automate the deployment, scaling, and management of containerized applications.
Service Address: https://kubernetes.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be implemented at the cluster level using network policies or through cloud provider security groups.
Secret Access Scope: Grants access to Kubernetes cluster resources including pods, services, deployments, and other Kubernetes objects based on the associated RBAC permissions.
Secret Revokement URL: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs
Secret Example:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...
server: https://kubernetes.example.com:6443
name: example-cluster
contexts:
- context:
cluster: example-cluster
user: example-user
name: example-context
current-context: example-context
users:
- name: example-user
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeFE3bk...
Suspicious Activity Investigation Instructions:
- Review Kubernetes audit logs for unusual API calls or resource access.
- Check for unauthorized pod creation or service modifications.
- Monitor for unusual network traffic patterns within the cluster.
- Look for privilege escalation attempts or role binding changes.
- Examine resource usage patterns for anomalies.
- Check for unauthorized access to sensitive namespaces.
Mitigation Instructions:
- Rotate the compromised Kubernetes credentials immediately.
- Revoke the compromised certificate if using client certificates.
- Update service account tokens if those were compromised.
- Review and update RBAC permissions to limit access.
- Enable audit logging if not already enabled.
- Implement network policies to restrict pod-to-pod communication.
- Consider implementing just-in-time access to the cluster.
- Review all workloads deployed during the suspected compromise period.
- Implement Pod Security Policies or Pod Security Standards to restrict pod privileges.