Kubernetes admission controller created
Description
AlphaSOC detected the creation of a Kubernetes MutatingWebhookConfiguration,
which establishes a new admission controller in the cluster. Admission
controllers are powerful components that can intercept and modify API requests
before they are processed by the Kubernetes API server.
MutatingWebhookConfigurations allow external services to modify Kubernetes
objects during the admission process. While legitimate for policy enforcement
and resource modification, the creation of new admission controllers can be used
by attackers to establish persistence, escalate privileges, or inject malicious
configurations into workloads. Unauthorized creation of admission controllers
represents a significant security risk as they operate with elevated privileges
and can affect all resources in the cluster.
Impact
Creating unauthorized admission controllers can lead to complete cluster compromise as these components can intercept, modify, or block any API request. Malicious admission controllers can be used to inject backdoors into pods, modify security contexts to grant elevated privileges, steal secrets, or establish persistence mechanisms that survive pod restarts. They can also be used to bypass security policies, disable security features, or redirect traffic to attacker-controlled infrastructure. Since admission controllers operate at the API server level, they can affect all namespaces and resources within the cluster, making them an attractive target for attackers seeking to maintain long-term access or control over Kubernetes environments.
Severity
| Severity | Condition |
|---|---|
Low | Kubernetes admission controller created |
Investigation and Remediation
Review the Kubernetes audit logs to identify who created the
MutatingWebhookConfiguration and verify if this was an authorized deployment
through proper change management processes. Examine the webhook configuration to
understand what types of resources it targets and what mutations it performs.
Check the webhook service endpoint to ensure it points to a legitimate and
trusted service within your environment. Verify that the webhook's TLS
configuration uses valid certificates and secure communication channels. If the
admission controller was created without authorization, immediately delete the
MutatingWebhookConfiguration using
kubectl delete mutatingwebhookconfiguration <name> and investigate how the
unauthorized access occurred.
Review RBAC policies to ensure only authorized users and service accounts can create admission controllers. Monitor the webhook service logs for any suspicious activity or unauthorized modifications. Consider using admission controller frameworks that provide better security controls and audit capabilities for managing cluster policies.