Kubernetes service account created in public namespace
Description
AlphaSOC detected the creation of a service account in the kube-public namespace. The kube-public namespace is designed to be readable by all users, including unauthenticated ones. Creating service accounts in this namespace could potentially expose credentials and may indicate attempts at credential exposure or privilege escalation.
Impact
Service accounts created in kube-public can have their credentials and access tokens visible to unauthenticated users. These exposed credentials could allow threat actors to gain access to the cluster and potentially escalate privileges through role bindings. With a compromised service account, adversaries may be able to deploy workloads, access resources according to the service account's permissions, and establish persistence within the cluster environment.
Severity
| Severity | Condition |
|---|---|
Medium | Kubernetes service account created in public namespace |
Investigation and Remediation
Review the Kubernetes audit logs to identify the user who created the service account and the time of creation. Examine the associated role bindings and usage patterns to understand the scope of potential exposure. Remove any unauthorized service accounts and investigate pods or workloads that used these credentials. Consider implementing controls to restrict service account creation in the kube-public namespace, and monitor the environment for additional suspicious activity. Implement namespace-level policies that enforce proper service account placement according to your organization's security requirements.