Suspicious Kubernetes API calls indicating access to Kubernetes secret
Description
AlphaSOC detected unexpected access to a Kubernetes Secret. A Secret is an object that contains sensitive data such as passwords, tokens, or keys. This finding indicates that a Secret was accessed in a pattern deviating from expected access parameters, which may suggest unauthorized access attempts or potential data exfiltration.
Impact
Access to Kubernetes Secrets enables threat actors to compromise applications, laterally move through the cluster, and access protected resources. Exposed Secrets can lead to data breaches, service disruptions, and potential infrastructure compromise.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or namespace |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Kubernetes audit logs to identify the service account and accessed Secrets. Analyze pod and container configurations to confirm legitimate secret mounting and access patterns. If unauthorized access is confirmed, rotate compromised Secrets, update RBAC policies, and investigate potential compromise of accessing pods or service accounts.