MITRE, AllControls, YAML-scanning
A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node. Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.
ClusterRole, ClusterRoleBinding, Role, RoleBinding
List who has delete/deletecollection RBAC permissions on events.
You should follow the least privilege principle. Minimize the number of subjects who can delete Kubernetes events. Avoid using these subjects in the daily operations.
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-exec rules: - apiGroups: ["*"] resources: ["events"] # we look for this resource or * verbs: ["delete","deletecollection"] # we look for this verb or *
Updated 11 days ago