GKE Cluster-Admin Role Binding Created or Modified

Detects creation or modification of a GKE ClusterRoleBinding that grants the cluster-admin ClusterRole, providing unrestricted cluster access and enabling rapid privilege escalation or persistence.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2026/06/30"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2026/06/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects creation or modification of a GKE ClusterRoleBinding that grants the cluster-admin ClusterRole, providing
11unrestricted cluster access and enabling rapid privilege escalation or persistence.
12"""
13index = ["logs-gcp.audit-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "GKE Cluster-Admin Role Binding Created or Modified"
17note = """## Triage and analysis
18
19### Investigating GKE Cluster-Admin Role Binding Created or Modified
20
21Identify who created or changed the binding and which subject received cluster-admin.
22
23### Investigation steps
24
25- Review `user.email`, `source.ip`, and `gcp.audit.request` for the bound subject.
26- Hunt for secret reads, privileged pod creation, or webhook changes from the same actor or new subject.
27
28### False positives
29
30- Bootstrap, recovery, or GitOps workflows may recreate cluster-admin bindings during approved changes.
31
32## Setup
33
34The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
35references = [
36    "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
37    "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control",
38]
39risk_score = 47
40rule_id = "16708afb-4904-4d3c-af78-63640a075cb0"
41severity = "medium"
42tags = [
43    "Domain: Cloud",
44    "Domain: Kubernetes",
45    "Data Source: GCP",
46    "Data Source: Google Cloud Platform",
47    "Use Case: Threat Detection",
48    "Tactic: Persistence",
49    "Tactic: Privilege Escalation",
50    "Resources: Investigation Guide",
51]
52timestamp_override = "event.ingested"
53type = "query"
54
55query = '''
56data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
57event.action:(
58  "io.k8s.authorization.rbac.v1.clusterrolebindings.create" or
59  "io.k8s.authorization.rbac.v1.clusterrolebindings.patch" or
60  "io.k8s.authorization.rbac.v1.clusterrolebindings.update"
61) and gcp.audit.request.kind:"ClusterRoleBinding" and
62gcp.audit.resource_name:"rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
63'''
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67
68[[rule.threat.technique]]
69id = "T1098"
70name = "Account Manipulation"
71reference = "https://attack.mitre.org/techniques/T1098/"
72
73[[rule.threat.technique.subtechnique]]
74id = "T1098.006"
75name = "Additional Container Cluster Roles"
76reference = "https://attack.mitre.org/techniques/T1098/006/"
77
78[rule.threat.tactic]
79id = "TA0003"
80name = "Persistence"
81reference = "https://attack.mitre.org/tactics/TA0003/"
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85
86[[rule.threat.technique]]
87id = "T1098"
88name = "Account Manipulation"
89reference = "https://attack.mitre.org/techniques/T1098/"
90
91[[rule.threat.technique.subtechnique]]
92id = "T1098.006"
93name = "Additional Container Cluster Roles"
94reference = "https://attack.mitre.org/techniques/T1098/006/"
95
96[rule.threat.tactic]
97id = "TA0004"
98name = "Privilege Escalation"
99reference = "https://attack.mitre.org/tactics/TA0004/"

Triage and analysis

Investigating GKE Cluster-Admin Role Binding Created or Modified

Identify who created or changed the binding and which subject received cluster-admin.

Investigation steps

  • Review user.email, source.ip, and gcp.audit.request for the bound subject.
  • Hunt for secret reads, privileged pod creation, or webhook changes from the same actor or new subject.

False positives

  • Bootstrap, recovery, or GitOps workflows may recreate cluster-admin bindings during approved changes.

Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

References

Related rules

to-top