Rancher API Token
Service Name: Rancher
Service Description: Rancher is an open-source container management platform that makes it easy to deploy and manage containers in production. It provides a complete container management platform for Kubernetes, allowing users to deploy and manage multiple Kubernetes clusters across different cloud providers or on- premises infrastructure.
Service Address: https://rancher.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the cluster level through Rancher's authentication provider configuration.
Secret Access Scope: Grants programmatic access to Rancher API, allowing management of Kubernetes clusters, deployments, and other container resources.
Secret Revokement URL: https://rancher.com/docs/rancher/v2.x/en/api/api-tokens/
Secret Example: token-abcde:pzfghijklmnopqrstuvwxyz12345678901234567890
Suspicious Activity Investigation Instructions:
- Review Rancher audit logs for unusual API calls or resource access.
- Check for unauthorized cluster creation or modification.
- Monitor for unusual container deployments or workload changes.
- Examine network traffic patterns to and from Rancher API endpoints.
- Verify if there are any unauthorized users or roles created in the system.
Mitigation Instructions:
-
Log in to the Rancher UI as an administrator.
-
Navigate to API & Keys section in the user profile.
- Locate the compromised API token.
- Delete the token to immediately revoke access.
- Create a new token with appropriate permissions if needed.
- Review and update access control policies for all remaining tokens.
- Consider implementing shorter token expiration periods.
- Enable audit logging if not already active to monitor future API usage.