GKE Cluster-Admin Role Binding Created or Modified
Detects creation or modification of a GKE ClusterRoleBinding that grants the cluster-admin ClusterRole, providing unrestricted cluster access and enabling rapid privilege escalation or persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects creation or modification of a GKE ClusterRoleBinding that grants the cluster-admin ClusterRole, providing
11unrestricted cluster access and enabling rapid privilege escalation or persistence.
12"""
13index = ["logs-gcp.audit-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "GKE Cluster-Admin Role Binding Created or Modified"
17note = """## Triage and analysis
18
19### Investigating GKE Cluster-Admin Role Binding Created or Modified
20
21Identify who created or changed the binding and which subject received cluster-admin.
22
23### Investigation steps
24
25- Review `user.email`, `source.ip`, and `gcp.audit.request` for the bound subject.
26- Hunt for secret reads, privileged pod creation, or webhook changes from the same actor or new subject.
27
28### False positives
29
30- Bootstrap, recovery, or GitOps workflows may recreate cluster-admin bindings during approved changes.
31
32## Setup
33
34The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
35references = [
36 "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
37 "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control",
38]
39risk_score = 47
40rule_id = "16708afb-4904-4d3c-af78-63640a075cb0"
41severity = "medium"
42tags = [
43 "Domain: Cloud",
44 "Domain: Kubernetes",
45 "Data Source: GCP",
46 "Data Source: Google Cloud Platform",
47 "Use Case: Threat Detection",
48 "Tactic: Persistence",
49 "Tactic: Privilege Escalation",
50 "Resources: Investigation Guide",
51]
52timestamp_override = "event.ingested"
53type = "query"
54
55query = '''
56data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
57event.action:(
58 "io.k8s.authorization.rbac.v1.clusterrolebindings.create" or
59 "io.k8s.authorization.rbac.v1.clusterrolebindings.patch" or
60 "io.k8s.authorization.rbac.v1.clusterrolebindings.update"
61) and gcp.audit.request.kind:"ClusterRoleBinding" and
62gcp.audit.resource_name:"rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin"
63'''
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67
68[[rule.threat.technique]]
69id = "T1098"
70name = "Account Manipulation"
71reference = "https://attack.mitre.org/techniques/T1098/"
72
73[[rule.threat.technique.subtechnique]]
74id = "T1098.006"
75name = "Additional Container Cluster Roles"
76reference = "https://attack.mitre.org/techniques/T1098/006/"
77
78[rule.threat.tactic]
79id = "TA0003"
80name = "Persistence"
81reference = "https://attack.mitre.org/tactics/TA0003/"
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85
86[[rule.threat.technique]]
87id = "T1098"
88name = "Account Manipulation"
89reference = "https://attack.mitre.org/techniques/T1098/"
90
91[[rule.threat.technique.subtechnique]]
92id = "T1098.006"
93name = "Additional Container Cluster Roles"
94reference = "https://attack.mitre.org/techniques/T1098/006/"
95
96[rule.threat.tactic]
97id = "TA0004"
98name = "Privilege Escalation"
99reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Investigating GKE Cluster-Admin Role Binding Created or Modified
Identify who created or changed the binding and which subject received cluster-admin.
Investigation steps
- Review
user.email,source.ip, andgcp.audit.requestfor the bound subject. - Hunt for secret reads, privileged pod creation, or webhook changes from the same actor or new subject.
False positives
- Bootstrap, recovery, or GitOps workflows may recreate cluster-admin bindings during approved changes.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Admission Webhook Created or Modified
- GKE Container Created with Excessive Linux Capabilities
- GKE Pod Created With HostIPC
- GKE Pod Created With HostNetwork
- GKE Pod Created With HostPID