C-0031 - Delete Kubernetes events
Framework
MITRE, AllControls
Severity
Medium
Description of the the issue
A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node. Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
List who has delete/deletecollection RBAC permissions on events.
Remediation
You should follow the least privilege principle. Minimize the number of subjects who can delete Kubernetes events. Avoid using these subjects in the daily operations.
Example
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: ["*"]
resources: ["events"] # we look for this resource or *
verbs: ["delete","deletecollection"] # we look for this verb or *
Updated 9 days ago