Fortinet black logo

Administration Guide

Home Lacework FortiCNAPP Administration Guide

K8s Audit Log Cluster Role Bindings To Edit

K8s Audit Log Cluster Role Bindings To Edit

This alert occurs when Lacework FortiCNAPP detects a user on your Kubernetes cluster successfully created a cluster role binding to bind the user to an edit role.

Why this alert is important

Users with an edit role have read/write access to most objects in a namespace. It does not allow viewing or modifying roles or role bindings.

Investigation

Follow these steps to investigate the alert:

  1. Check the Kubernetes audit logs to identify when and by whom the cluster role binding was created.
  2. Identify the user or group that was granted the edit privileges. You can find this information in the subjects field of the ClusterRoleBinding object.
  3. Determine if the user or group is authorized to have edit privileges.
  4. Review the Kubernetes audit logs for any other unauthorized changes to the namespace that may have been made by the user or group in question.

Resolution

Follow these steps to resolve the alert:

  1. If the cluster role binding was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized cluster role binding, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.
Previous
Next

K8s Audit Log Cluster Role Bindings To Edit

K8s Audit Log Cluster Role Bindings To Edit

This alert occurs when Lacework FortiCNAPP detects a user on your Kubernetes cluster successfully created a cluster role binding to bind the user to an edit role.

Why this alert is important

Users with an edit role have read/write access to most objects in a namespace. It does not allow viewing or modifying roles or role bindings.

Investigation

Follow these steps to investigate the alert:

  1. Check the Kubernetes audit logs to identify when and by whom the cluster role binding was created.
  2. Identify the user or group that was granted the edit privileges. You can find this information in the subjects field of the ClusterRoleBinding object.
  3. Determine if the user or group is authorized to have edit privileges.
  4. Review the Kubernetes audit logs for any other unauthorized changes to the namespace that may have been made by the user or group in question.

Resolution

Follow these steps to resolve the alert:

  1. If the cluster role binding was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized cluster role binding, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.
Previous
Next