Rules

Disallowed K8s User

Detect any k8s operation by users outside of an allowed set of users. Tags: k8s

Create Disallowed Pod

Detect an attempt to start a pod with a container image outside of a list of allowed images.

Tags: k8s

Create Privileged Pod

Detect an attempt to start a pod with a privileged container

Tags: k8s

Create Sensitive Mount Pod

Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.

Tags: k8s

Create HostNetwork Pod

Detect an attempt to start a pod using the host network. Tags: k8s

Create NodePort Service

Detect an attempt to start a service with a NodePort service type

Tags: k8s

Create/Modify Configmap With Private Credentials

Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)

Tags: k8s

Anonymous Request Allowed

Detect any request made by the anonymous user that was allowed

Tags: k8s

Attach/Exec Pod

Detect any attempt to attach/exec to a pod

Tags: k8s

EphemeralContainers Created

Detect any ephemeral container created

Tags: k8s

Create Disallowed Namespace

Detect any attempt to create a namespace outside of a set of known namespaces Tags: k8s

Pod Created in Kube Namespace

Detect any attempt to create a pod in the kube-system or kube-public namespaces Tags: k8s

Service Account Created in Kube Namespace

Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces Tags: k8s

System ClusterRole Modified/Deleted

Detect any attempt to modify/delete a ClusterRole/Role starting with system Tags: k8s

Attach to cluster-admin Role

Detect any attempt to create a ClusterRoleBinding to the cluster-admin user Tags: k8s

ClusterRole With Wildcard Created

Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs Tags: k8s

ClusterRole With Write Privileges Created

Detect any attempt to create a Role/ClusterRole that can perform write-related actions Tags: k8s

ClusterRole With Pod Exec Created

Detect any attempt to create a Role/ClusterRole that can exec to pods Tags: k8s

K8s Deployment Created

Detect any attempt to create a deployment Tags: k8s

K8s Deployment Deleted

Detect any attempt to delete a deployment Tags: k8s

K8s Service Created

Detect any attempt to create a service Tags: k8s

K8s Service Deleted

Detect any attempt to delete a service Tags: k8s

K8s ConfigMap Created

Detect any attempt to create a configmap Tags: k8s

K8s ConfigMap Deleted

Detect any attempt to delete a configmap Tags: k8s

K8s Namespace Created

Detect any attempt to create a namespace Tags: k8s

K8s Namespace Deleted

Detect any attempt to delete a namespace Tags: k8s

K8s Serviceaccount Created

Detect any attempt to create a service account Tags: k8s

K8s Serviceaccount Deleted

Detect any attempt to delete a service account Tags: k8s

K8s Role/Clusterrole Created

Detect any attempt to create a cluster role/role Tags: k8s

K8s Role/Clusterrole Deleted

Detect any attempt to delete a cluster role/role Tags: k8s

K8s Role/Clusterrolebinding Created

Detect any attempt to create a clusterrolebinding Tags: k8s

K8s Role/Clusterrolebinding Deleted

Detect any attempt to delete a clusterrolebinding Tags: k8s

K8s Secret Created

Detect any attempt to create a secret. Service account tokens are excluded. Tags: k8s

K8s Secret Deleted

Detect any attempt to delete a secret Service account tokens are excluded. Tags: k8s

All K8s Audit Events

Match all K8s Audit Events Tags: k8s

Full K8s Administrative Access

Detect any k8s operation by a user name that may be an administrator with full access. Tags: k8s

Ingress Object without TLS Certificate Created

Detect any attempt to create an ingress without TLS certification. Tags: k8s, network

Untrusted Node Successfully Joined the Cluster

Detect a node successfully joined the cluster outside of the list of allowed nodes.

Tags: k8s

Untrusted Node Unsuccessfully Tried to Join the Cluster

Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.

Tags: k8s