---
id: 08225b48-df24-4b5f-9ac4-670124024556
---

# Unauthorized Access to Kubernetes API Server Detected
---

This incident type is characterized by the detection of unauthorized access to the Kubernetes API server. This unauthorized access potentially enables attackers to manipulate cluster resources. Such incidents can lead to serious consequences, as unauthorized access allows attackers to make changes to the Kubernetes cluster, which may compromise the security and integrity of the entire system. Therefore, it is crucial to promptly detect and address such incidents to ensure the security and proper functioning of the Kubernetes cluster.

### Parameters
```shell
export KUBE_APISERVER_POD_NAME="PLACEHOLDER"

export API_SERVER_ENDPOINT="PLACEHOLDER"

export ROLE_NAME="PLACEHOLDER"

export NAMESPACE="PLACEHOLDER"

export PATH_TO_KUBECONFIG="PLACEHOLDER"

```

## Debug

### Check the status of the Kubernetes API server
```shell
kubectl cluster-info
```

### Get a list of all the pods running in the default namespace
```shell
kubectl get pods
```

### Check the logs of the kube-apiserver container to see if there are any suspicious activities
```shell
kubectl logs -n kube-system ${KUBE_APISERVER_POD_NAME} kube-apiserver
```

### Check the Kubernetes audit logs to see if there were any unauthorized API requests
```shell
kubectl get auditlog -o json | jq '.items[] | select(.user.username != "system:serviceaccount:kube-system:kube-apiserver").requestURI'
```

### Check the Kubernetes RBAC configuration to ensure that the correct permissions are in place
```shell
kubectl get clusterroles

kubectl get clusterrolebindings
```

## Repair

### Review access controls for the Kubernetes API server and ensure that only authorized users and applications have access.
```shell
#!/bin/bash

# Set variables

KUBE_CONFIG=${PATH_TO_KUBECONFIG}

KUBE_NAMESPACE=${NAMESPACE}

KUBE_API_SERVER=${API_SERVER_ENDPOINT}

# Review access controls for Kubernetes API server

kubectl --kubeconfig=$KUBE_CONFIG auth can-i --list --namespace=$KUBE_NAMESPACE --server=$KUBE_API_SERVER

# If necessary, update access controls to ensure only authorized users and applications have access

# Example command to grant a user read-only access to the namespace

kubectl --kubeconfig=$KUBE_CONFIG create role ${ROLE_NAME} --verb=get,list --resource=pods --namespace=$KUBE_NAMESPACE

kubectl --kubeconfig=$KUBE_CONFIG create rolebinding ${ROLE_BINDING_NAME} --role=${ROLE_NAME} --user=${USER_NAME} --namespace=$KUBE_NAMESPACE

```

This incident type is characterized by the detection of unauthorized access to the Kubernetes API server. This unauthorized access potentially enables attackers to manipulate cluster resources. Such incidents can lead to serious consequences, as unauthorized access allows attackers to make changes to the Kubernetes cluster, which may compromise the security and integrity of the entire system. Therefore, it is crucial to promptly detect and address such incidents to ensure the security and proper functioning of the Kubernetes cluster.


The Vault Sealed incident type occurs when an instance of the Vault has been sealed due to an error or issue. This can cause disruption to the system and requires immediate attention to resolve the issue and unseal the Vault instance. It is important to identify the root cause of the issue in order to prevent it from happening again in the future.


Vault Sealed Incident

This incident type occurs when the number of 5xx errors on Traffic Server is higher than usual. This can indicate issues with server performance or connectivity problems. It requires investigation to identify the root cause and resolve the issue.


High 5xx Errors on Traffic Server

This incident type occurs when the number of 4xx errors on Traffic Server is at an anomalous level, higher than usual. It could be an indicator of an issue with the server or an increase in traffic that is causing errors. It requires investigation and resolution to ensure the server is functioning correctly and not impacting users.


High 4xx Errors on Traffic Server

This incident type involves monitoring the replicas of a Kubernetes Statefulset, which is a type of workload in Kubernetes used for stateful applications. The incident is triggered when more than one replica's pods are down, creating an unsafe situation for manual operations. This incident is critical and requires immediate attention to resolve the issue and ensure the smooth functioning of the stateful applications.


Kubernetes Statefulset Replicas Monitoring Incident

Pod security policy conflicts refer to situations where there are security policy violations in Kubernetes pods. This can happen when pod security policies are not properly defined or when the policies in place conflict with the requirements of a specific pod. These conflicts can result in the pod being denied access to resources, which can cause serious disruptions in the application or system running on the pod.


Pod Security Policy Conflicts

```shell
export KUBE_APISERVER_POD_NAME="PLACEHOLDER"

export API_SERVER_ENDPOINT="PLACEHOLDER"

export ROLE_NAME="PLACEHOLDER"

export NAMESPACE="PLACEHOLDER"

export PATH_TO_KUBECONFIG="PLACEHOLDER"

```


### Check the status of the Kubernetes API server

```shell
kubectl cluster-info
```

### Get a list of all the pods running in the default namespace

```shell
kubectl get pods
```

### Check the logs of the kube-apiserver container to see if there are any suspicious activities

```shell
kubectl logs -n kube-system ${KUBE_APISERVER_POD_NAME} kube-apiserver
```

### Check the Kubernetes audit logs to see if there were any unauthorized API requests

```shell
kubectl get auditlog -o json | jq '.items[] | select(.user.username != "system:serviceaccount:kube-system:kube-apiserver").requestURI'
```

### Check the Kubernetes RBAC configuration to ensure that the correct permissions are in place

```shell
kubectl get clusterroles

kubectl get clusterrolebindings
```


### Review access controls for the Kubernetes API server and ensure that only authorized users and applications have access.

```shell
#!/bin/bash

# Set variables

KUBE_CONFIG=${PATH_TO_KUBECONFIG}

KUBE_NAMESPACE=${NAMESPACE}

KUBE_API_SERVER=${API_SERVER_ENDPOINT}

# Review access controls for Kubernetes API server

kubectl --kubeconfig=$KUBE_CONFIG auth can-i --list --namespace=$KUBE_NAMESPACE --server=$KUBE_API_SERVER

# If necessary, update access controls to ensure only authorized users and applications have access

# Example command to grant a user read-only access to the namespace

kubectl --kubeconfig=$KUBE_CONFIG create role ${ROLE_NAME} --verb=get,list --resource=pods --namespace=$KUBE_NAMESPACE

kubectl --kubeconfig=$KUBE_CONFIG create rolebinding ${ROLE_BINDING_NAME} --role=${ROLE_NAME} --user=${USER_NAME} --namespace=$KUBE_NAMESPACE

```


Unauthorized Access to Kubernetes API Server Detected

Overview

Parameters

Debug

Check the status of the Kubernetes API server

Get a list of all the pods running in the default namespace

Check the logs of the kube-apiserver container to see if there are any suspicious activities

Check the Kubernetes audit logs to see if there were any unauthorized API requests

Check the Kubernetes RBAC configuration to ensure that the correct permissions are in place

Repair

Review access controls for the Kubernetes API server and ensure that only authorized users and applications have access.

Learn more

Related Runbooks

Vault Sealed Incident

High 5xx Errors on Traffic Server

High 4xx Errors on Traffic Server

Kubernetes Statefulset Replicas Monitoring Incident

Support