Kubernetes API Request Impersonating Privileged Identity

This detection rule identifies Kubernetes API requests where a user is impersonating a highly privileged cluster identity. The targeted identities include system:kube-controller-manager, system:admin, system:anonymous, and members of the system:masters group. Successful impersonation of these identities grants broad cluster-wide permissions, enabling attackers to access all secrets, create tokens for any service account, schedule pods on any node, and modify RBAC policies. Exploitation of this vulnerability can provide attackers with cluster-admin equivalent access or access to all secrets in every namespace. This can lead to significant compromise within the Kubernetes environment.

Attack Chain

1. An attacker gains initial access to the Kubernetes cluster, possibly through compromised credentials or a vulnerable application.
2. The attacker crafts a malicious Kubernetes API request.
3. The attacker includes impersonation headers in the API request, targeting a privileged identity such as system:kube-controller-manager or a member of system:masters.
4. The Kubernetes API server receives the request and, if RBAC checks are insufficient or bypassed, allows the impersonation.
5. The attacker, now impersonating the privileged identity, issues further API requests to access sensitive resources like secrets or to create service account tokens.
6. The attacker uses the stolen secrets or created tokens for lateral movement within the cluster.
7. The attacker escalates privileges and gains unauthorized control over the cluster.

Impact

Successful exploitation allows the attacker to escalate privileges within the Kubernetes cluster, potentially leading to full cluster control. The attacker can access sensitive data such as secrets, modify RBAC policies, and deploy malicious workloads. This can result in data breaches, service disruptions, and long-term compromise of the cluster and its resources.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect suspicious Kubernetes API requests involving privileged identity impersonation.
• Review and tighten RBAC permissions within the Kubernetes cluster, especially for impersonation rights.
• Monitor Kubernetes audit logs for unexpected impersonation activity, focusing on the user.name and kubernetes.audit.impersonatedUser fields.
• Implement strict network segmentation to limit the blast radius of compromised nodes or containers.
• Use Kubernetes admission controllers to enforce policies that prevent unauthorized impersonation attempts.