Kubernetes resource created in public namespace
Description
AlphaSOC detected the creation of a Kubernetes resource in the kube-public namespace. This namespace is designed for resources that need to be publicly readable across the cluster and grants read access to all users by default, including unauthenticated users. Creating workloads or storing sensitive resources in this namespace exposes them to unauthorized access and violates security best practices.
Impact
Resources running in kube-public may be visible to unauthenticated users, potentially exposing data, configurations, or resource metadata. Threat actors could use this visibility to gather information about the cluster or attempt further actions. While direct privilege escalation is not guaranteed, improper use of kube-public increases the risk of information disclosure and could aid in subsequent attacks.
Severity
| Severity | Condition |
|---|---|
Medium | Kubernetes resource created in public namespace |
Investigation and Remediation
Review audit logs and resource specifications to identify who created the resource and their intended purpose. Remove any unauthorized or unnecessary resources from kube-public. Legitimate workloads should be moved to appropriate namespaces with restricted access. Review and update RBAC policies to limit resource creation in kube-public. Implement namespace security controls, such as Pod Security Standards and Network Policies, to reduce risk.