Multiple denied Kubernetes API calls requiring investigation
Description
AlphaSOC detected multiple Kubernetes API calls denied with 401 (Unauthorized) or 403 (Forbidden) responses. These access denials may indicate reconnaissance or privilege escalation attempts targeting the Kubernetes control plane, but could also result from misconfiguration or expired credentials.
Impact
API access denials can reveal misconfigurations in RBAC policies and service account permissions. Adversaries may use this information to identify potential access paths and attempt privilege escalation. If successful in bypassing access controls, threat actors could potentially deploy workloads, access secrets, and move laterally within the cluster.
Severity
| Severity | Condition |
|---|---|
Low | Multiple denied Kubernetes API calls requiring investigation |
Investigation and Remediation
Review Kubernetes audit logs to identify the source of the denied requests, including usernames, service accounts, and targeted resources. Analyze RBAC policies and service account permissions for misconfigurations or overly permissive settings. Update RBAC policies based on the principle of least privilege. Investigate potential compromised credentials or exposed service account tokens. Consider enabling more detailed audit logging for API server access attempts and implementing network policies to restrict unnecessary pod-to-pod and external communications.
Known False Positives
- Misconfigured applications attempting legitimate API access
- Helm chart installations with incorrect RBAC settings