C-0031 - Delete Kubernetes events

Framework

MITRE, AllControls

Severity

Medium

Description of the the issue

A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node. Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

List who has delete/deletecollection RBAC permissions on events.

Remediation

You should follow the least privilege principle. Minimize the number of subjects who can delete Kubernetes events. Avoid using these subjects in the daily operations.

Example

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-exec
rules:
- apiGroups: ["*"]
  resources: ["events"]  		   # we look for this resource or *
  verbs: ["delete","deletecollection"]	   # we look for this verb or *