The module lifecycle stageExperimental
The module has requirements for installation

Built-in security events

Auth

Code Resource name Severity Source Description Fields
D8_DECKHOUSE_GROUPS_ACCESSED d8-deckhouse-groups-accessed Medium kube-audit Detected successful access (get/list/watch) to groups resource in the deckhouse.io API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
D8_DECKHOUSE_GROUPS_MODIFIED d8-deckhouse-groups-modified High kube-audit Detected create, update, patch, or delete operations on groups resource in the deckhouse.io API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
D8_DECKHOUSE_USERS_ACCESSED d8-deckhouse-users-accessed Medium kube-audit Detected successful access (get/list/watch) to users resource in the deckhouse.io API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
D8_DECKHOUSE_USERS_MODIFIED d8-deckhouse-users-modified High kube-audit Detected create, update, patch, or delete operations on users resource in the deckhouse.io API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
D8_USER_LOCKED d8-user-locked Medium kube-audit Detected successful user lock operation event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
metadata.extra.auditID (opt.)
metadata.extra.initiatorType (opt.)
metadata.extra.operationApiVersion (opt.)
metadata.extra.operationGenerateName (opt.)
metadata.extra.operationKind (opt.)
metadata.extra.operationResourceVersion (opt.)
metadata.extra.responseCode (opt.)
metadata.extra.lockDuration (opt.)
D8_USER_LOGGED_OUT d8-user-logged-out Low dex-authenticator Detected user logout. event.code (req.)
source.component (req.)
actor.id (opt.)
metadata.extra.auth.status (opt.)
metadata.extra.auth.host (opt.)
metadata.extra.auth.method (opt.)
metadata.extra.auth.requestID (opt.)
metadata.extra.auth.clientIP (opt.)
metadata.extra.auth.userAgent (opt.)
D8_USER_PASSWORD_RESET d8-user-password-reset High kube-audit Detected successful user password reset operation via UserOperation resource (type=ResetPassword). event.code (req.)
source.component (req.)
actor.id (opt.)
object.username (opt.)
object.email (opt.)
object.connectorID (opt.)
metadata.extra.auditID (opt.)
metadata.extra.initiatorType (opt.)
D8_USER_UNLOCKED d8-user-unlocked Medium kube-audit Detected successful user unlock operation event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
metadata.extra.initiatorType (opt.)
metadata.extra.responseCode (opt.)
DEX_OFFLINESESSIONS_ACCESSED dex-offlinesessions-accessed High kube-audit Detected successful access (get/list/watch) to offlinesessionses resource in the dex.coreos.com API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
DEX_OFFLINESESSIONS_MODIFIED dex-offlinesessions-modified High kube-audit Detected create, update, patch, or delete operations on offlinesessionses resource in the dex.coreos.com API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
DEX_PASSWORDS_ACCESSED dex-passwords-accessed High kube-audit Detected successful access (get/list/watch) to passwords resource in the dex.coreos.com API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
DEX_PASSWORDS_MODIFIED dex-passwords-modified High kube-audit Detected create, update, patch, or delete operations on passwords resource in the dex.coreos.com API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)

Config

Code Resource name Severity Source Description Fields
K8S_AUDIT_POLICY_SECRET_MODIFIED k8s-audit-policy-secret-modified High kube-audit Detected modifications of Secret kube-system/audit-policy (create, update, patch, delete). This event is critical because it may impact Kubernetes audit policy. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_CERTIFICATE_ACCESSED k8s-certificate-accessed Medium kube-audit Detected successful access to certificates.cert-manager.io objects (get/list/watch). event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_CERTIFICATE_MODIFIED k8s-certificate-modified Medium kube-audit Detected create, update, patch, or delete operations on certificates.cert-manager.io objects. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_CONFIGMAP_ACCESSED k8s-configmap-accessed Medium kube-audit Detected successful access to ConfigMap objects (get/list/watch). event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_CONFIGMAP_MODIFIED k8s-configmap-modified Medium kube-audit Detected create, update, patch, or delete operations on ConfigMap objects. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_MODULECONFIG_MODIFIED k8s-moduleconfig-modified Medium kube-audit Detected creation, update, or deletion of a ModuleConfig object. This event is important for monitoring platform configuration changes. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_PVC_CREATED k8s-pvc-created Medium kube-audit Detected creation of a PersistentVolumeClaim object. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_PVC_DELETED k8s-pvc-deleted Medium kube-audit Detected deletion of a PersistentVolumeClaim object. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_PVC_MODIFIED k8s-pvc-modified Medium kube-audit Detected modification of a PersistentVolumeClaim object (update/patch). event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_PV_MODIFIED k8s-pv-modified Medium kube-audit Detected create, update, patch, or delete operations on PersistentVolume objects. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_SECRET_ACCESSED k8s-secret-accessed High kube-audit Detected successful access to Secret objects (get/list/watch). This event is important for monitoring reads of sensitive data. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SECRET_MODIFIED k8s-secret-modified High kube-audit Detected create, update, patch, or delete operations on Secret objects. This event helps track changes to sensitive data. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SECURITY_LOG_PVC_CHANGED k8s-security-log-cleanup High kube-audit Detected modification or deletion of PVC d8-monitoring/storage-loki-0, which may indicate security log cleanup. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)

Rbac

Code Resource name Severity Source Description Fields
D8_AUTHORIZATIONRULES_ACCESSED d8-authorizationrules-accessed Medium kube-audit Detected successful access (get/list/watch) to authorizationrules and clusterauthorizationrules resources in the deckhouse.io API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
D8_AUTHORIZATIONRULES_MODIFIED d8-authorizationrules-modified High kube-audit Detected create, update, patch, or delete operations on authorizationrules and clusterauthorizationrules resources in the deckhouse.io API group. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_CLUSTERROLEBINDING_CREATED k8s-clusterrolebinding-created Low kube-audit Detected creation or update of a Kubernetes ClusterRoleBinding. This event reflects changes in cluster-level RBAC role assignments. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_CLUSTERROLEBINDING_DELETED k8s-clusterrolebinding-deleted Low kube-audit Detected deletion of a Kubernetes ClusterRoleBinding. This event helps track revocation of previously granted cluster-level permissions. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_CLUSTER_ADMIN_BOUND k8s-cluster-admin-bound High kube-audit Detected creation or update of a ClusterRoleBinding that binds a subject to the cluster-admin role. This is a critical action that grants full administrative access to the cluster. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_RBAC_RESOURCES_ACCESSED k8s-rbac-resources-accessed Medium kube-audit Detected successful access (get/list/watch) to RBAC resources: roles, clusterroles, rolebindings, clusterrolebindings. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_RBAC_RESOURCES_MODIFIED k8s-rbac-resources-modified High kube-audit Detected create, update, patch, or delete operations on RBAC resources: roles, clusterroles, rolebindings, clusterrolebindings. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_ROLE_CREATED k8s-role-created Low kube-audit Detected creation or update of a Kubernetes Role or ClusterRole. This helps track changes in the RBAC access model. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_ROLE_DELETED k8s-role-deleted Low kube-audit Detected deletion of a Kubernetes Role or ClusterRole. This is important for controlling RBAC policy changes and identifying potential access disruptions. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_ROLE_POD_EXEC_CREATED k8s-role-pod-exec-created High kube-audit Detected creation of a Role or ClusterRole with pods/exec privileges. This enables command execution inside containers. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_ROLE_WILDCARD_CREATED k8s-role-wildcard-created High kube-audit Detected creation of a Role or ClusterRole with wildcard permissions. Such permissions usually grant excessively broad access to Kubernetes resources. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_ROLE_WRITE_CREATED k8s-role-write-created Medium kube-audit Detected creation of a Role or ClusterRole with write privileges. This may expand the ability to modify resources in the cluster. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_SA_CREATED_SYSTEM_NAMESPACE k8s-sa-created-system-namespace Medium kube-audit Detected creation of a ServiceAccount in a system namespace. This may indicate changes in the cluster’s trusted infrastructure zone. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SA_TOKEN_CREATED k8s-sa-token-created Low kube-audit Detected creation of a token for a Kubernetes ServiceAccount. This event tracks issuance of temporary credentials for an identity. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SA_TOKEN_CREATED_SYSTEM_NAMESPACE k8s-sa-token-created-system-namespace Medium kube-audit Detected creation of a token for a ServiceAccount in a system namespace. This may indicate obtaining access to the cluster’s trusted infrastructure zone. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SERVICEACCOUNT_CREATED k8s-serviceaccount-created Low kube-audit Detected creation of a Kubernetes ServiceAccount. This is used to track the appearance of new application identities. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SERVICEACCOUNT_DELETED k8s-serviceaccount-deleted Low kube-audit Detected deletion of a Kubernetes ServiceAccount. This may affect access permissions and the availability of applications or platform components. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SYSTEM_ROLE_MODIFIED_DELETED k8s-system-role-modified-deleted High kube-audit Detected modification or deletion of system Role or ClusterRole objects (system:*). Such actions can affect core cluster security and behavior. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_UNAUTHORIZED_REQUEST k8s-unauthorized-request High kube-audit Detected unauthorized requests to the Kubernetes API (401/403). This may indicate access probing attempts or client misconfiguration. event.code (req.)
source.component (req.)
metadata.extra.sourceIPs (opt.)
metadata.extra.userAgent (opt.)
metadata.extra.verb (opt.)
metadata.extra.auditID (opt.)

Runtime

Code Resource name Severity Source Description Fields
K8S_EPHEMERAL_CONTAINER_CREATED k8s-ephemeral-container-created Medium kube-audit Detected creation of an ephemeral container in a Pod. This is often used for debugging and may require additional security review. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_NODE_CREATED k8s-node-created Medium kube-audit Detected creation of a Kubernetes Node resource. This event may indicate a new node joining the cluster and should be verified as expected. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_NODE_DELETED k8s-node-deleted High kube-audit Detected deletion of a Kubernetes Node resource. This event is important for monitoring potential node decommissioning and possible availability impact. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
K8S_POD_CREATED k8s-pod-created Low kube-audit Detected creation of a Kubernetes Pod. This event helps track the launch of new workloads in the cluster. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_POD_DELETED k8s-pod-deleted Low kube-audit Detected deletion of a Kubernetes Pod. This event helps monitor workload termination or removal. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_POD_EXEC_ATTACH k8s-pod-exec-attach Medium kube-audit Detected an exec or attach attempt against a Pod. This event is important for monitoring interactive runtime access to containers. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
metadata.extra.subresource (opt.)
K8S_POD_LOGS_ACCESSED k8s-pod-logs-accessed Medium kube-audit Detected successful access to Pod logs via the pods/log subresource. This event is useful for auditing reads of potentially sensitive data exposed in application logs. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SECURITY_REPORT_CREATED k8s-security-report-created Low kube-audit Detected creation of Kubernetes security report resources (for example, ConfigAuditReport or VulnerabilityReport). This helps track the appearance of security scanning results. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_SYSTEM_NAMESPACE_POD_NO_DIGEST k8s-system-namespace-pod-no-digest Medium kube-audit Detected creation of a Pod in a system namespace without an image pinned by digest. This increases the risk of running an unpredictable image version. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)
K8S_VIRTUAL_MACHINE_OPERATION_CREATED k8s-virtual-machine-operation-created Medium kube-audit Detected creation of a VirtualMachineOperation resource in the virtualization.deckhouse.io API. This event reflects initiation of virtual machine management operations. event.code (req.)
source.component (req.)
actor.id (opt.)
object.name (opt.)
object.namespace (opt.)