C-0031 - Delete Kubernetes events


MITRE, AllControls



Description of the the issue

A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node. Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

List who has delete/deletecollection RBAC permissions on events.


You should follow the least privilege principle. Minimize the number of subjects who can delete Kubernetes events. Avoid using these subjects in the daily operations.


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  namespace: default
  name: pod-exec
- apiGroups: ["*"]
  resources: ["events"]  		   # we look for this resource or *
  verbs: ["delete","deletecollection"]	   # we look for this verb or *