Skip to content

OpenShift Token

Service Name: Red Hat OpenShift

Service Description: Red Hat OpenShift is an enterprise Kubernetes container platform that provides a consistent application platform to manage hybrid cloud, multicloud, and edge deployments. It enables DevOps teams to build, deploy, and manage containerized applications.

Service Address: https://www.redhat.com/en/technologies/cloud-computing/openshift

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the cluster level using network policies and ingress controllers.

Secret Access Scope: Grants programmatic access to OpenShift clusters with permissions based on the associated service account or user role. Can provide access to manage containers, deployments, services, routes, and other Kubernetes resources.

Secret Revokement URL: https://docs.openshift.com/container-platform/latest/authentication/remove-kubeadmin.html

Secret Example: sha256~dGhpc2lzYW5leGFtcGxlb3BlbnNoaWZ0dG9rZW5mb3JkZW1vbnN0cmF0aW9ucHVycG9zZXM

Suspicious Activity Investigation Instructions:

  • Review the OpenShift audit logs for unusual API calls or resource access
  • Check for unexpected pod deployments, service creations, or route modifications
  • Monitor for unauthorized namespace creation or resource modifications
  • Examine network traffic patterns for unusual connections to or from the cluster

  • Review authentication logs for failed login attempts or unusual access patterns

Mitigation Instructions:

  • Immediately revoke the compromised token by deleting the associated service account or OAuth token
  • Create a new service account with appropriate permissions if needed
  • Rotate all credentials for affected clusters
  • Review and update RBAC policies to enforce the Principle of Least Privilege.
  • Enable or review audit logging to monitor for future suspicious activities
  • Consider implementing network policies to restrict pod-to-pod and external communications
  • Update any CI/CD pipelines or applications that were using the compromised token