Event Information

Meaning

  • This event indicates that an unauthorized user or process is attempting to gather information about the Kubernetes cluster through interactive commands.
  • It is important to investigate the source of the reconnaissance activity to prevent potential security breaches or data leaks.
  • To further analyze this event, you can use kubectl commands to check for any unauthorized pods, deployments, or services running in the cluster. For example, you can use “kubectl get pods” or “kubectl get deployments” to list all running pods or deployments in the cluster.

Remediation

  • Create a Kubernetes ServiceAccount with necessary permissions:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: recon-service-account
  • Create a ClusterRoleBinding to grant necessary permissions to the ServiceAccount:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: recon-clusterrole-binding
subjects:
- kind: ServiceAccount
  name: recon-service-account
  namespace: default
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
  • Use the Python Kubernetes client library to interact with the Kubernetes API and perform remediation actions based on the event.