Google Cloud Kubernetes Admission Controller

calendar Oct 23, 2025 · attack.privilege-escalation attack.initial-access attack.defense-evasion attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007  ·
Share on: linkedin copy

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Sigma rule (View on GitHub)

 1title: Google Cloud Kubernetes Admission Controller
 2id: 6ad91e31-53df-4826-bd27-0166171c8040
 3status: test
 4description: |
 5  Identifies when an admission controller is executed in GCP Kubernetes.
 6  A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
 7  The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
 8  An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
 9  For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
10  An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.  
11references:
12    - https://cloud.google.com/kubernetes-engine/docs
13author: Austin Songer @austinsonger
14date: 2021-11-25
15modified: 2022-12-18
16tags:
17    - attack.privilege-escalation
18    - attack.initial-access
19    - attack.defense-evasion
20    - attack.persistence
21    - attack.t1078
22    - attack.credential-access
23    - attack.t1552
24    - attack.t1552.007
25logsource:
26    product: gcp
27    service: gcp.audit
28detection:
29    selection:
30        gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
31        gcp.audit.method_name|contains:
32            - '.mutatingwebhookconfigurations.'
33            - '.validatingwebhookconfigurations.'
34        gcp.audit.method_name|endswith:
35            - 'create'
36            - 'patch'
37            - 'replace'
38    condition: selection
39falsepositives:
40    - Google Cloud Kubernetes Admission Controller may be done by a system administrator.
41    - If known behavior is causing false positives, it can be exempted from the rule.
42level: medium

References

Related rules

to-top