
Summary
This rule detects requests to attach controller service accounts to pods in the kube-system namespace within a Kubernetes cluster. By default, these accounts are reserved for system use within the API Server and should not be attached to general pods. The misuse of these accounts can lead to privilege escalation, whereby an attacker could gain admin-level access and take full control of the cluster. The rule triggers alerts based on Kubernetes audit logs, specifically monitoring for pod creation events with service accounts that contain 'controller' in their name. Investigative steps include reviewing related audit logs, tracing the request's source, checking service account history, and evaluating the impact of the assigned permissions. The response to a detected event includes isolating the pod, revoking involved tokens, reviewing recent changes, and improving monitoring strategies.
Categories
- Kubernetes
Data Sources
- Kernel
- Container
- Process
ATT&CK Techniques
- T1078
- T1078.001
Created: 2022-09-13