Kubernetes service account created in service namespace
Description
AlphaSOC detected the creation of a service account in the kube-system namespace. The kube-system namespace contains core Kubernetes components and configurations. The creation of service accounts in this namespace could indicate unauthorized access attempts or potentially serve as malicious persistence mechanisms, though legitimate administrative activities may also trigger this detection.
Impact
Unauthorized service accounts within the kube-system namespace can potentially be used to access sensitive cluster configurations and deploy workloads. If exploited by threat actors, these accounts could facilitate persistence, help evade detection, and possibly enable privilege escalation within the cluster environment.
Severity
| Severity | Condition |
|---|---|
Medium | Kubernetes service account created in service namespace |
Investigation and Remediation
Examine the details of the service account creation event, focusing on the creator's identity, permissions, and associated role bindings. Review any workloads using the service account and analyze the API calls made with these credentials. If unauthorized activity is identified, delete the service account and audit all actions taken using the account. Review cluster RBAC configurations, rotate potentially compromised credentials, and ensure audit logging is enabled for service account operations.
Known False Positives
- Installation of cluster add-ons
- Legitimate administrative or CI/CD operations