Kubernetes API calls indicating namespace creation
Description
AlphaSOC detected the creation of a new Kubernetes namespace. Namespaces provide logical isolation within clusters and are commonly used for organizing workloads. While namespace creation is a normal administrative operation, threat actors may create namespaces to isolate malicious activities, maintain persistence, or evade detection by operating outside monitored areas.
Impact
Unauthorized namespace creation may enable threat actors to deploy workloads that could evade security monitoring. This separation could potentially allow malicious activities to operate with reduced visibility, which may facilitate data exfiltration, cryptocurrency mining, or lateral movement within the cluster.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or namespace |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Kubernetes audit logs to identify the user or service account that created the namespace and verify the legitimacy of the action. Examine the namespace configuration, any associated resources, and deployed workloads. If the namespace creation was unauthorized or unnecessary, remove the namespace and its resources. Review and update RBAC policies to ensure namespace creation privileges follow the principle of least privilege.