
Summary
This rule monitors Google Cloud Platform (GKE) audit logs for creation or modification of Kubernetes RBAC Roles and ClusterRoles that grant high‑risk permissions. It detects allowed create, update, or patch actions on Roles and ClusterRoles that introduce broad or elevated RBAC capabilities, such as wildcard verbs or escalation-related actions (e.g., bind, escalate, impersonate), which could enable privilege escalation or unauthorized access within a GKE cluster. The detection is anchored to GCP audit events (gcp.audit) for Kubernetes RBAC resources (roles, clusterroles) and correlates these changes with related RoleBindings/ClusterRoleBindings and potential follow‑on activity (e.g., secret access or exec). The rule provides investigation guidance to identify the actor, target resource, and context of the change, and to assess subsequent privilege‑escalation paths. It also codifies exclusions for legitimate bootstrap or platform automation activity (e.g., known operators and system components) to reduce noise.
Categories
- Cloud
- Kubernetes
Data Sources
- Cloud Service
ATT&CK Techniques
- T1098
- T1098.006
Created: 2026-07-10