Create Symlink Over Sensitive Files

​

Event Information

​

Meaning

• The Create Symlink Over Sensitive Files event in a Kubernetes cluster indicates that a process or container attempted to create a symbolic link (symlink) pointing to a sensitive file or directory.
• This event could potentially be a security risk as it may allow unauthorized access or modification of sensitive data or system files.
• It is important to investigate this event further to identify the source of the symlink creation and take appropriate actions to mitigate the risk, such as removing the symlink and securing the sensitive files or directories.

To investigate and mitigate this event in a Kubernetes cluster:

1. Identify the pod or container involved in the event by checking the relevant logs or using the Kubernetes audit logs.

   • Use the following command to retrieve the logs of a specific pod:

     kubectl logs <pod_name> -n <namespace>
     

   • Check the Kubernetes audit logs to find relevant events:

     kubectl get events --field-selector=type=Normal -n <namespace>
     

2. Inspect the container or pod configuration to ensure that it does not have unnecessary privileges or access to sensitive files.

   • Use the following command to describe a pod and check its configuration:

     kubectl describe pod <pod_name> -n <namespace>
     

3. Review the security policies and RBAC (Role-Based Access Control) settings in the cluster to ensure that only authorized processes or containers have access to sensitive files or directories.

   • Use the following command to view RBAC roles and bindings:

     kubectl get roles,rolebindings -n <namespace>
     

   • Update RBAC settings as necessary to restrict access to sensitive files or directories.

​

Remediation

To remediate the event “Create Symlink Over Sensitive Files” using the Python Kubernetes API, you can follow these steps:

1. Identify the sensitive files that are being symlinked:

   • Use the kubectl exec command to access the affected container within the pod: kubectl exec -it <pod-name> -c <container-name> -- /bin/bash
   • List the sensitive files in the container: ls -l /path/to/sensitive/files

2. Remove the symlinked file and restore the original file:

   • Use the Python Kubernetes API to delete the pod:

     from kubernetes import client, config
     
     config.load_kube_config()
     v1 = client.CoreV1Api()
     
     v1.delete_namespaced_pod(name="<pod-name>", namespace="<namespace>")
     

   • Alternatively, you can use the kubectl delete command: kubectl delete pod <pod-name> -n <namespace>

3. Investigate and fix the root cause of the symlink creation:

   • Review the pod’s YAML manifest file to identify any volume mounts or hostPath configurations that allow write access to sensitive files.
   • Update the pod’s manifest file to remove or restrict the write access to sensitive files.
   • Apply the updated manifest file using the Python Kubernetes API or the kubectl apply command.

Remember to test the remediation script in a non-production environment before applying it to your production cluster.