K8s

Disallowed K8s User
Detect any k8s operation by users outside of an allowed set of users.
All K8s Audit Events
Match all K8s Audit Events
Full K8s Administrative Access
Detect any k8s operation by a user name that may be an administrator with full access.
Anonymous Request Allowed
Detect any request made by the anonymous user that was allowed

Pod

Create Disallowed Pod
Detect an attempt to start a pod with a container image outside of a list of allowed images.
Create Privileged Pod
Detect an attempt to start a pod with a privileged container
Create Sensitive Mount Pod
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
Create HostNetwork Pod
Detect an attempt to start a pod using the host network.
Attach/Exec Pod
Detect any attempt to attach/exec to a pod
EphemeralContainers Created
Detect any ephemeral container created

Namespace

K8s Namespace Created
Detect any attempt to create a namespace
K8s Namespace Deleted
Detect any attempt to delete a namespace
Create Disallowed Namespace
Detect any attempt to create a namespace outside of a set of known namespaces
Pod Created in Kube Namespace
Detect any attempt to create a pod in the kube-system or kube-public namespaces

ClusterRole

System ClusterRole Modified/Deleted
Detect any attempt to modify/delete a ClusterRole/Role starting with system
Attach to cluster-admin Role
Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
ClusterRole With Wildcard Created
Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
ClusterRole With Write Privileges Created
Detect any attempt to create a Role/ClusterRole that can perform write-related actions
ClusterRole With Pod Exec Created
Detect any attempt to create a Role/ClusterRole that can exec to pods

Deployment

K8s Deployment Created
Detect any attempt to create a deployment
K8s Deployment Deleted
Detect any attempt to delete a deployment

Service

K8s Service Created
Detect any attempt to create a service
K8s Service Deleted
Detect any attempt to delete a service
Create NodePort Service
Detect an attempt to start a service with a NodePort service type

ConfigMap

K8s ConfigMap Created
Detect any attempt to create a configmap
K8s ConfigMap Deleted
Detect any attempt to delete a configmap
Create/Modify Configmap With Private Credentials
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)

ServiceAccount

K8s Serviceaccount Created
Detect any attempt to create a service account
K8s Serviceaccount Deleted
Detect any attempt to delete a service account
Service Account Created in Kube Namespace
Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces

Role / Clusterrole

K8s Role/Clusterrole Created
Detect any attempt to create a cluster role/role
K8s Role/Clusterrole Deleted
Detect any attempt to delete a cluster role/role

RoleBinding / ClusterroleBinding

K8s Role/Clusterrolebinding Created
Detect any attempt to create a clusterrolebinding
K8s Role/Clusterrolebinding Deleted
Detect any attempt to delete a clusterrolebinding

Secret

K8s Secret Created
Detect any attempt to create a secret. Service account tokens are excluded.
K8s Secret Deleted
Detect any attempt to delete a secret Service account tokens are excluded.

Ingress

Ingress Object without TLS Certificate Created
Detect any attempt to create an ingress without TLS certification.

Node

Untrusted Node Successfully Joined the Cluster
Detect a node successfully joined the cluster outside of the list of allowed nodes.
Untrusted Node Unsuccessfully Tried to Join the Cluster
Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.