Back to catalog

OpenShift: Kubeadmin Secret Accessed

No violationsstackroxhighruntime

Alert when the kubeadmin secret is accessed

Rationale
Kubeadmin is the default administrative user for OpenShift and can be used to obtain full administrative access to the cluster. Investigating if this was accessed for valid business purposes can help organizations to control the use of administrative privileges
Remediation
Audit the access carefully to ensure that this secret is only accessed for valid business purposes.
CategoriesAnomalous ActivityKubernetes Events
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 10.1
ISO/IEC 27001 2022
A.8.16
NIST SP 800-53 rev. 5
AU-2SI-4
PCI DSS 4.0
10.2.15.3.2
SOC 2 2017 TSC
CC7.2

Generated artifacts

1 of 5 targets supported
openshift-kubeadmin-secret-accessed.yaml
- rule: openshift-kubeadmin-secret-accessed
  desc: Alert when the kubeadmin secret is accessed
  condition: ka.target.resource in ("secrets") and ka.verb in ("get") and ka.target.name in ("kubeadmin") and not (ka.user.name in ("system:serviceaccount:openshift-authentication-operator:authentication-operator", "system:apiserver", "system:serviceaccount:openshift-authentication:oauth-openshift", "system:serviceaccount:openshift-compliance:api-resource-collector", "system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa"))
  output: "K8s API: user=%ka.user.name verb=%ka.verb resource=%ka.target.resource name=%ka.target.name (policy=OpenShift: Kubeadmin Secret Accessed)"
  priority: ERROR
  source: k8s_audit
  tags:
    - stackrox-import
    - policy
    - k
IR (canonical)
{
  "id": "18cbcb62-7d18-4a6c-b2ca-dd1242746943",
  "name": "OpenShift: Kubeadmin Secret Accessed",
  "description": "Alert when the kubeadmin secret is accessed",
  "rationale": "Kubeadmin is the default administrative user for OpenShift and can be used to obtain full administrative access to the cluster. Investigating if this was accessed for valid business purposes can help organizations to control the use of administrative privileges",
  "remediation": "Audit the access carefully to ensure that this secret is only accessed for valid business purposes.",
  "severity": "high",
  "categories": [
    "Anomalous Activity",
    "Kubernetes Events"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "audit-log",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "kubernetes-resource",
        "values": [
          "SECRETS"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "kubernetes-api-verb",
        "values": [
          "GET"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "kubernetes-resource-name",
        "values": [
          "kubeadmin"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "kubernetes-user-name",
        "values": [
          "system:serviceaccount:openshift-authentication-operator:authentication-operator",
          "system:apiserver",
          "system:serviceaccount:openshift-authentication:oauth-openshift",
          "system:serviceaccount:openshift-compliance:api-resource-collector",
          "system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa"
        ],
        "valuesOp": "or",
        "negate": true
      }
    ]
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "18cbcb62-7d18-4a6c-b2ca-dd1242746943",
  "name": "OpenShift: Kubeadmin Secret Accessed",
  "description": "Alert when the kubeadmin secret is accessed",
  "rationale": "Kubeadmin is the default administrative user for OpenShift and can be used to obtain full administrative access to the cluster. Investigating if this was accessed for valid business purposes can help organizations to control the use of administrative privileges",
  "remediation": "Audit the access carefully to ensure that this secret is only accessed for valid business purposes.",
  "disabled": false,
  "categories": [
    "Anomalous Activity",
    "Kubernetes Events"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "AUDIT_LOG_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Kubernetes Resource",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "SECRETS"
            }
          ]
        },
        {
          "fieldName": "Kubernetes API Verb",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "GET"
            }
          ]
        },
        {
          "fieldName": "Kubernetes Resource Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "kubeadmin"
            }
          ]
        },
        {
          "fieldName": "Kubernetes User Name",
          "booleanOperator": "OR",
          "negate": true,
          "values": [
            {
              "value": "system:serviceaccount:openshift-authentication-operator:authentication-operator"
            },
            {
              "value": "system:apiserver"
            },
            {
              "value": "system:serviceaccount:openshift-authentication:oauth-openshift"
            },
            {
              "value": "system:serviceaccount:openshift-compliance:api-resource-collector"
            },
            {
              "value": "system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0006",
      "techniques": [
        "T1552.007"
      ]
    },
    {
      "tactic": "TA0007",
      "techniques": [
        "T1613"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}