heroui logo

GKE Cluster-Admin Role Binding Created or Modified

Elastic Detection Rules

View Source
Summary
Detects creation or modification of a Google Kubernetes Engine (GKE) ClusterRoleBinding that grants the cluster-admin ClusterRole, enabling unrestricted cluster access and potential persistence or privilege escalation. Implemented for Elastic stacks with GCP audit logs (index logs-gcp.audit-*) using the kuery query language. The rule triggers on GCP audit events where the action is creating, patching, or updating RBAC ClusterRoleBinding resources, the kind is ClusterRoleBinding, and the resource name corresponds to the cluster-admin binding (rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin). It presumes the GCP Fleet integration with GKE audit logs enabled. MITRE mappings include Account Manipulation (T1098) and its subtechnique Additional Container Cluster Roles (T1098.006), as well as Privilege Escalation (TA0004) and Persistence (TA0003). Triage should determine the actor via user.email, source.ip, and gcp.audit.request, and investigate for secret access, privileged pod activity, or webhook changes performed by the same actor. False positives may occur during approved bootstrap, recovery, or GitOps workflows that legitimately re-create cluster-admin bindings. The rule is designed to prompt rapid detection and investigation of dangerous RBAC changes in GKE clusters. Setup requires enabling the GCP Fleet integration with GKE audit logs.
Categories
  • Cloud
  • Kubernetes
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1098
  • T1098.006
Created: 2026-06-30