When it comes to Kubernetes logging, multiple books could be written on all the possible ways to collect, enrich, and send data from a cluster to a SI

Hiding in Plaintext Sight: Abusing The Lack of Kubernetes Auditing Policies

submited by
Style Pass
2021-08-16 16:00:08

When it comes to Kubernetes logging, multiple books could be written on all the possible ways to collect, enrich, and send data from a cluster to a SIEM. However, a critical component to the Kubernetes monitoring and logging ecosystem is the Kuberenetes Audit log. As noted in the official Kubernetes documentation:

“Kubernetes auditing allows administrators to answer “ what happened? When did it happen? Who initiated it? On what did it happen? Where was it observed? From where was it initiated? To where was it going? ”.

Whether handling a service outage, debugging a misbehaving application, or responding to a security incident, the Kubernetes Audit log can provide a wealth of information for your team. However, the platform your organization has deployed Kubernetes on ( bare metal, cloud provider, managed service, etc. ) greatly influences how you’ll obtain the logs and react to them.  

Lacework Labs is constantly looking to understand the ever increasing complexities of cloud environments and associated services that may be abused for malicious purposes. In this blog, we outline scenarios where the lack of auditing in Kubernetes could be leveraged for abuse and how to defend against it.

Leave a Comment