Skip to content

Rancher API Token

Service Name: Rancher

Service Description: Rancher is an open-source container management platform that makes it easy to deploy and manage containers in production. It provides a complete container management platform for Kubernetes, allowing users to deploy and manage multiple Kubernetes clusters across different cloud providers or on- premises infrastructure.

Service Address: https://rancher.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the cluster level through Rancher's authentication provider configuration.

Secret Access Scope: Grants programmatic access to Rancher API, allowing management of Kubernetes clusters, deployments, and other container resources.

Secret Revokement URL: https://rancher.com/docs/rancher/v2.x/en/api/api-tokens/

Secret Example: token-abcde:pzfghijklmnopqrstuvwxyz12345678901234567890

Suspicious Activity Investigation Instructions:

  • Review Rancher audit logs for unusual API calls or resource access.
  • Check for unauthorized cluster creation or modification.
  • Monitor for unusual container deployments or workload changes.
  • Examine network traffic patterns to and from Rancher API endpoints.
  • Verify if there are any unauthorized users or roles created in the system.

Mitigation Instructions:

  • Log in to the Rancher UI as an administrator.

  • Navigate to API & Keys section in the user profile.

  • Locate the compromised API token.
  • Delete the token to immediately revoke access.
  • Create a new token with appropriate permissions if needed.
  • Review and update access control policies for all remaining tokens.
  • Consider implementing shorter token expiration periods.
  • Enable audit logging if not already active to monitor future API usage.