Unexpected anonymous API call to a Kubernetes cluster
Description
AlphaSOC detected successful anonymous API calls to a Kubernetes cluster. This indicates that an adversary exploited an exposed Kubernetes API endpoint without authentication, allowing direct interaction with the cluster. Anonymous access bypasses standard security controls and represents a critical security vulnerability in cluster configuration.
Impact
Anonymous access to the Kubernetes API server enables threat actors to enumerate cluster resources, access sensitive data, and potentially execute commands in running containers. Adversaries can exploit this access to deploy malicious workloads, exfiltrate data, or establish persistence in the cluster.
Severity
| Severity | Condition |
|---|---|
Low | Anonymous API call to a Kubernetes cluster |
Medium | Anonymous API call by a client with an unexpected user agent |
Medium | Anonymous API call by a client IP within an unexpected ASN |
Medium | Anonymous API call by a client accompanied by an unexpected action |
Medium | Anonymous API call by a client within unexpected Kubernetes namespace |
Investigation and Remediation
Review Kubernetes audit logs to identify specific API calls and affected resources. Check API server configuration for authentication and authorization settings. Ensure RBAC policies restrict anonymous access. Configure network policies to limit API server exposure. Rotate any compromised credentials and secrets. Monitor for unauthorized workload deployments or configuration changes.
Known False Positives
- Kubernetes readiness/liveness probes