Skip to content

Kubernetes Cluster Credentials

Service Name: Kubernetes

Service Description: Kubernetes is an open-source container orchestration platform designed to automate the deployment, scaling, and management of containerized applications.

Service Address: https://kubernetes.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be implemented at the cluster level using network policies or through cloud provider security groups.

Secret Access Scope: Grants access to Kubernetes cluster resources including pods, services, deployments, and other Kubernetes objects based on the associated RBAC permissions.

Secret Revokement URL: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs

Secret Example:

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...
    server: https://kubernetes.example.com:6443
  name: example-cluster
contexts:
- context:
    cluster: example-cluster
    user: example-user
  name: example-context
current-context: example-context
users:
- name: example-user
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeFE3bk...

Suspicious Activity Investigation Instructions:

  • Review Kubernetes audit logs for unusual API calls or resource access.
  • Check for unauthorized pod creation or service modifications.
  • Monitor for unusual network traffic patterns within the cluster.
  • Look for privilege escalation attempts or role binding changes.
  • Examine resource usage patterns for anomalies.
  • Check for unauthorized access to sensitive namespaces.

Mitigation Instructions:

  • Rotate the compromised Kubernetes credentials immediately.
  • Revoke the compromised certificate if using client certificates.
  • Update service account tokens if those were compromised.
  • Review and update RBAC permissions to limit access.
  • Enable audit logging if not already enabled.
  • Implement network policies to restrict pod-to-pod communication.
  • Consider implementing just-in-time access to the cluster.
  • Review all workloads deployed during the suspected compromise period.
  • Implement Pod Security Policies or Pod Security Standards to restrict pod privileges.