The module lifecycle stage: Experimental
The module has requirements for installation
Built-in security events
Auth
| Code | Resource name | Severity | Source | Description | Fields |
|---|---|---|---|---|---|
| D8_DECKHOUSE_GROUPS_ACCESSED | d8-deckhouse-groups-accessed |
Medium | kube-audit | Detected successful access (get/list/watch) to groups resource in the deckhouse.io API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| D8_DECKHOUSE_GROUPS_MODIFIED | d8-deckhouse-groups-modified |
High | kube-audit | Detected create, update, patch, or delete operations on groups resource in the deckhouse.io API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| D8_DECKHOUSE_USERS_ACCESSED | d8-deckhouse-users-accessed |
Medium | kube-audit | Detected successful access (get/list/watch) to users resource in the deckhouse.io API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| D8_DECKHOUSE_USERS_MODIFIED | d8-deckhouse-users-modified |
High | kube-audit | Detected create, update, patch, or delete operations on users resource in the deckhouse.io API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| D8_USER_LOCKED | d8-user-locked |
Medium | kube-audit | Detected successful user lock operation | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)metadata.extra.auditID (opt.)metadata.extra.initiatorType (opt.)metadata.extra.operationApiVersion (opt.)metadata.extra.operationGenerateName (opt.)metadata.extra.operationKind (opt.)metadata.extra.operationResourceVersion (opt.)metadata.extra.responseCode (opt.)metadata.extra.lockDuration (opt.) |
| D8_USER_LOGGED_OUT | d8-user-logged-out |
Low | dex-authenticator | Detected user logout. | event.code (req.)source.component (req.)actor.id (opt.)metadata.extra.auth.status (opt.)metadata.extra.auth.host (opt.)metadata.extra.auth.method (opt.)metadata.extra.auth.requestID (opt.)metadata.extra.auth.clientIP (opt.)metadata.extra.auth.userAgent (opt.) |
| D8_USER_PASSWORD_RESET | d8-user-password-reset |
High | kube-audit | Detected successful user password reset operation via UserOperation resource (type=ResetPassword). | event.code (req.)source.component (req.)actor.id (opt.)object.username (opt.)object.email (opt.)object.connectorID (opt.)metadata.extra.auditID (opt.)metadata.extra.initiatorType (opt.) |
| D8_USER_UNLOCKED | d8-user-unlocked |
Medium | kube-audit | Detected successful user unlock operation | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)metadata.extra.initiatorType (opt.)metadata.extra.responseCode (opt.) |
| DEX_OFFLINESESSIONS_ACCESSED | dex-offlinesessions-accessed |
High | kube-audit | Detected successful access (get/list/watch) to offlinesessionses resource in the dex.coreos.com API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| DEX_OFFLINESESSIONS_MODIFIED | dex-offlinesessions-modified |
High | kube-audit | Detected create, update, patch, or delete operations on offlinesessionses resource in the dex.coreos.com API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| DEX_PASSWORDS_ACCESSED | dex-passwords-accessed |
High | kube-audit | Detected successful access (get/list/watch) to passwords resource in the dex.coreos.com API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| DEX_PASSWORDS_MODIFIED | dex-passwords-modified |
High | kube-audit | Detected create, update, patch, or delete operations on passwords resource in the dex.coreos.com API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
Config
| Code | Resource name | Severity | Source | Description | Fields |
|---|---|---|---|---|---|
| K8S_AUDIT_POLICY_SECRET_MODIFIED | k8s-audit-policy-secret-modified |
High | kube-audit | Detected modifications of Secret kube-system/audit-policy (create, update, patch, delete). This event is critical because it may impact Kubernetes audit policy. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_CERTIFICATE_ACCESSED | k8s-certificate-accessed |
Medium | kube-audit | Detected successful access to certificates.cert-manager.io objects (get/list/watch). | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_CERTIFICATE_MODIFIED | k8s-certificate-modified |
Medium | kube-audit | Detected create, update, patch, or delete operations on certificates.cert-manager.io objects. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_CONFIGMAP_ACCESSED | k8s-configmap-accessed |
Medium | kube-audit | Detected successful access to ConfigMap objects (get/list/watch). | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_CONFIGMAP_MODIFIED | k8s-configmap-modified |
Medium | kube-audit | Detected create, update, patch, or delete operations on ConfigMap objects. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_MODULECONFIG_MODIFIED | k8s-moduleconfig-modified |
Medium | kube-audit | Detected creation, update, or deletion of a ModuleConfig object. This event is important for monitoring platform configuration changes. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_PVC_CREATED | k8s-pvc-created |
Medium | kube-audit | Detected creation of a PersistentVolumeClaim object. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_PVC_DELETED | k8s-pvc-deleted |
Medium | kube-audit | Detected deletion of a PersistentVolumeClaim object. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_PVC_MODIFIED | k8s-pvc-modified |
Medium | kube-audit | Detected modification of a PersistentVolumeClaim object (update/patch). | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_PV_MODIFIED | k8s-pv-modified |
Medium | kube-audit | Detected create, update, patch, or delete operations on PersistentVolume objects. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_SECRET_ACCESSED | k8s-secret-accessed |
High | kube-audit | Detected successful access to Secret objects (get/list/watch). This event is important for monitoring reads of sensitive data. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SECRET_MODIFIED | k8s-secret-modified |
High | kube-audit | Detected create, update, patch, or delete operations on Secret objects. This event helps track changes to sensitive data. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SECURITY_LOG_PVC_CHANGED | k8s-security-log-cleanup |
High | kube-audit | Detected modification or deletion of PVC d8-monitoring/storage-loki-0, which may indicate security log cleanup. |
event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
Rbac
| Code | Resource name | Severity | Source | Description | Fields |
|---|---|---|---|---|---|
| D8_AUTHORIZATIONRULES_ACCESSED | d8-authorizationrules-accessed |
Medium | kube-audit | Detected successful access (get/list/watch) to authorizationrules and clusterauthorizationrules resources in the deckhouse.io API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| D8_AUTHORIZATIONRULES_MODIFIED | d8-authorizationrules-modified |
High | kube-audit | Detected create, update, patch, or delete operations on authorizationrules and clusterauthorizationrules resources in the deckhouse.io API group. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_CLUSTERROLEBINDING_CREATED | k8s-clusterrolebinding-created |
Low | kube-audit | Detected creation or update of a Kubernetes ClusterRoleBinding. This event reflects changes in cluster-level RBAC role assignments. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_CLUSTERROLEBINDING_DELETED | k8s-clusterrolebinding-deleted |
Low | kube-audit | Detected deletion of a Kubernetes ClusterRoleBinding. This event helps track revocation of previously granted cluster-level permissions. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_CLUSTER_ADMIN_BOUND | k8s-cluster-admin-bound |
High | kube-audit | Detected creation or update of a ClusterRoleBinding that binds a subject to the cluster-admin role. This is a critical action that grants full administrative access to the cluster. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_RBAC_RESOURCES_ACCESSED | k8s-rbac-resources-accessed |
Medium | kube-audit | Detected successful access (get/list/watch) to RBAC resources: roles, clusterroles, rolebindings, clusterrolebindings. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_RBAC_RESOURCES_MODIFIED | k8s-rbac-resources-modified |
High | kube-audit | Detected create, update, patch, or delete operations on RBAC resources: roles, clusterroles, rolebindings, clusterrolebindings. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_ROLE_CREATED | k8s-role-created |
Low | kube-audit | Detected creation or update of a Kubernetes Role or ClusterRole. This helps track changes in the RBAC access model. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_ROLE_DELETED | k8s-role-deleted |
Low | kube-audit | Detected deletion of a Kubernetes Role or ClusterRole. This is important for controlling RBAC policy changes and identifying potential access disruptions. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_ROLE_POD_EXEC_CREATED | k8s-role-pod-exec-created |
High | kube-audit | Detected creation of a Role or ClusterRole with pods/exec privileges. This enables command execution inside containers. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_ROLE_WILDCARD_CREATED | k8s-role-wildcard-created |
High | kube-audit | Detected creation of a Role or ClusterRole with wildcard permissions. Such permissions usually grant excessively broad access to Kubernetes resources. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_ROLE_WRITE_CREATED | k8s-role-write-created |
Medium | kube-audit | Detected creation of a Role or ClusterRole with write privileges. This may expand the ability to modify resources in the cluster. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_SA_CREATED_SYSTEM_NAMESPACE | k8s-sa-created-system-namespace |
Medium | kube-audit | Detected creation of a ServiceAccount in a system namespace. This may indicate changes in the cluster’s trusted infrastructure zone. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SA_TOKEN_CREATED | k8s-sa-token-created |
Low | kube-audit | Detected creation of a token for a Kubernetes ServiceAccount. This event tracks issuance of temporary credentials for an identity. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SA_TOKEN_CREATED_SYSTEM_NAMESPACE | k8s-sa-token-created-system-namespace |
Medium | kube-audit | Detected creation of a token for a ServiceAccount in a system namespace. This may indicate obtaining access to the cluster’s trusted infrastructure zone. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SERVICEACCOUNT_CREATED | k8s-serviceaccount-created |
Low | kube-audit | Detected creation of a Kubernetes ServiceAccount. This is used to track the appearance of new application identities. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SERVICEACCOUNT_DELETED | k8s-serviceaccount-deleted |
Low | kube-audit | Detected deletion of a Kubernetes ServiceAccount. This may affect access permissions and the availability of applications or platform components. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SYSTEM_ROLE_MODIFIED_DELETED | k8s-system-role-modified-deleted |
High | kube-audit | Detected modification or deletion of system Role or ClusterRole objects (system:*). Such actions can affect core cluster security and behavior. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_UNAUTHORIZED_REQUEST | k8s-unauthorized-request |
High | kube-audit | Detected unauthorized requests to the Kubernetes API (401/403). This may indicate access probing attempts or client misconfiguration. | event.code (req.)source.component (req.)metadata.extra.sourceIPs (opt.)metadata.extra.userAgent (opt.)metadata.extra.verb (opt.)metadata.extra.auditID (opt.) |
Runtime
| Code | Resource name | Severity | Source | Description | Fields |
|---|---|---|---|---|---|
| K8S_EPHEMERAL_CONTAINER_CREATED | k8s-ephemeral-container-created |
Medium | kube-audit | Detected creation of an ephemeral container in a Pod. This is often used for debugging and may require additional security review. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_NODE_CREATED | k8s-node-created |
Medium | kube-audit | Detected creation of a Kubernetes Node resource. This event may indicate a new node joining the cluster and should be verified as expected. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_NODE_DELETED | k8s-node-deleted |
High | kube-audit | Detected deletion of a Kubernetes Node resource. This event is important for monitoring potential node decommissioning and possible availability impact. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.) |
| K8S_POD_CREATED | k8s-pod-created |
Low | kube-audit | Detected creation of a Kubernetes Pod. This event helps track the launch of new workloads in the cluster. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_POD_DELETED | k8s-pod-deleted |
Low | kube-audit | Detected deletion of a Kubernetes Pod. This event helps monitor workload termination or removal. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_POD_EXEC_ATTACH | k8s-pod-exec-attach |
Medium | kube-audit | Detected an exec or attach attempt against a Pod. This event is important for monitoring interactive runtime access to containers. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.)metadata.extra.subresource (opt.) |
| K8S_POD_LOGS_ACCESSED | k8s-pod-logs-accessed |
Medium | kube-audit | Detected successful access to Pod logs via the pods/log subresource. This event is useful for auditing reads of potentially sensitive data exposed in application logs. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SECURITY_REPORT_CREATED | k8s-security-report-created |
Low | kube-audit | Detected creation of Kubernetes security report resources (for example, ConfigAuditReport or VulnerabilityReport). This helps track the appearance of security scanning results. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_SYSTEM_NAMESPACE_POD_NO_DIGEST | k8s-system-namespace-pod-no-digest |
Medium | kube-audit | Detected creation of a Pod in a system namespace without an image pinned by digest. This increases the risk of running an unpredictable image version. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |
| K8S_VIRTUAL_MACHINE_OPERATION_CREATED | k8s-virtual-machine-operation-created |
Medium | kube-audit | Detected creation of a VirtualMachineOperation resource in the virtualization.deckhouse.io API. This event reflects initiation of virtual machine management operations. | event.code (req.)source.component (req.)actor.id (opt.)object.name (opt.)object.namespace (opt.) |