8 patterns
of Kubernetes attack activity detectable from API server audit logs: secret enumeration, role binding privilege escalation, exec into containers, privileged pod creation, cluster admin modification, service account token creation, cross-namespace access, and anonymous API access
RequestResponse
audit level required to capture the full request and response body for sensitive operations like secret access and role binding creation -- lower levels (None, Metadata, Request) miss payload details
55%
of Kubernetes security incidents involve RBAC misconfiguration or privilege escalation through role bindings -- all of which are visible in API server audit logs
3 log fields
required in every Kubernetes audit log detection rule: user.username (the requesting principal), verb (the operation type), and objectRef.resource (the target resource type)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The Kubernetes API server is the control plane for everything that happens in a cluster. Every kubectl command, every admission controller decision, every pod creation, every secret read, and every role binding change flows through the API server and can be captured in the audit log. For an attacker who has gained access to a cluster -- through a compromised service account token, a misconfigured RBAC binding, or container escape -- the API server is the tool they use to escalate privileges, move laterally, and persist.

Most Kubernetes clusters have audit logging enabled in some form. Very few have detection rules built on top of the audit log data. The data exists; the signal is not being extracted from it. This guide covers the audit policy configuration that captures the events you need without producing unmanageable volume, the log ingestion setup, and the eight detection rules that surface the most common Kubernetes attack patterns.

Audit Policy Configuration: Capturing Signal Without Log Flood

Kubernetes audit logging is configured via an audit policy file (a YAML specification) that maps resource types and verbs to audit levels. The four audit levels: None (do not log), Metadata (log only request metadata), Request (log metadata and request body), and RequestResponse (log metadata, request body, and response body).

A policy that logs everything at RequestResponse produces unmanageable volume for any non-trivial cluster. An effective policy logs sensitive resources at RequestResponse and high-volume, low-security-value resources at Metadata or None.

Resources to log at RequestResponse level (full request and response bodies):

  • secrets (all verbs) -- secret access is a primary attacker goal; you need the full response to detect mass enumeration
  • rolebindings and clusterrolebindings (create, update, patch, delete) -- privilege escalation via role binding
  • pods/exec and pods/attach (create) -- exec into running containers
  • pods with privileged security context (create) -- privileged container creation
  • serviceaccounts and serviceaccounts/token (create) -- service account token generation

Resources to log at Metadata level (high volume, lower security value):

  • All other pod operations (create, delete without exec)
  • ConfigMap operations
  • Service and ingress operations

Resources to log at None (exclude from audit):

  • events (watch) -- high volume, low security value
  • pods/log (get) -- high volume for operational logging
  • Readiness and liveness probe checks (health check endpoints)

The policy file is applied to the API server via the --audit-policy-file flag. In managed Kubernetes environments (EKS, GKE, AKS), audit logging is configured through the cluster management console or CLI rather than directly on the API server.

Ingesting Kubernetes Audit Logs Into Your SIEM

Kubernetes audit logs are written to a file path specified by the --audit-log-path API server flag or, for managed Kubernetes, exported to the cloud provider's logging service. The ingestion path depends on your environment:

Self-managed clusters: Audit logs are written to a local file (e.g., /var/log/kubernetes/audit.log). Use a log agent (Fluentd, Fluent Bit, or Filebeat) to tail the file and forward to your SIEM. Each log line is a JSON-formatted audit event. Parse the JSON and extract the key fields for SIEM ingestion: timestamp, user.username, user.groups, sourceIPs, verb, objectRef.namespace, objectRef.resource, objectRef.name, responseStatus.code, and requestURI.

AWS EKS: Enable control plane logging (API server, audit) in the EKS cluster configuration. Logs appear in CloudWatch Logs under the log group /aws/eks/cluster-name/cluster. Use CloudWatch Logs Insights or a CloudWatch Logs subscription to forward to your SIEM (or query directly in Athena if you export to S3).

GKE: Enable Cloud Audit Logs for the Kubernetes Engine API. Logs appear in Cloud Logging under cloudaudit.googleapis.com/activity. Forward to your SIEM via Pub/Sub export or query directly in BigQuery.

AKS: Enable diagnostic settings to export audit logs to a Log Analytics Workspace. Query with KQL in Microsoft Sentinel or forward to another SIEM via Azure Event Hub.

For all ingestion paths: confirm that the ingestion pipeline has a maximum acceptable latency (target: 5 minutes from event to searchable in SIEM). Detection rules that fire on real-time Kubernetes events need near-real-time log ingestion to be actionable.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Eight Detection Rules for High-Value Kubernetes Attack Patterns

Rule 1: Secret enumeration. Alert when a principal reads 10 or more secrets within a 5-minute window in the same namespace or across namespaces. Query: verb = "get" AND objectRef.resource = "secrets" | group by user.username | count > 10 in 5 minutes. The threshold of 10 distinguishes automated secret enumeration from a developer who reads 2 or 3 secrets during normal operations.

Rule 2: ClusterRoleBinding creation granting cluster-admin. Alert when a ClusterRoleBinding is created that references the cluster-admin ClusterRole. This is one of the highest-impact privilege escalation actions in a Kubernetes cluster. Query: verb = "create" AND objectRef.resource = "clusterrolebindings" AND requestObject.roleRef.name = "cluster-admin". Any result is a true positive in most environments.

Rule 3: Exec into a running container. Alert when a pod exec or attach event is recorded for a production namespace, especially by service account principals (automated workloads) or from unexpected user principals. Query: verb = "create" AND objectRef.resource = "pods/exec" AND objectRef.namespace = "production". Exec from a service account principal (not a human user) is especially suspicious.

Rule 4: Privileged pod creation. Alert when a pod is created with securityContext.privileged = true or hostPID = true or hostNetwork = true. These are container escape prerequisites. In environments using PodSecurity Standards or OPA/Gatekeeper, these should be blocked -- an audit log showing they were allowed indicates a policy gap.

Rule 5: Service account token creation. Alert when a service account token is created via the TokenRequest API (verb = create, resource = serviceaccounts/token). Attackers who compromise a pod with limited permissions may attempt to generate a long-lived token for a more privileged service account. Any token creation in a production namespace by a non-CI/CD principal should be investigated.

Rule 6: Anonymous authentication to the API server. Alert when audit log events show user.username = "system:anonymous". Anonymous authentication should be disabled in production clusters. Any anonymous request that reaches the API server indicates that the --anonymous-auth=false flag is not set or was overridden.

Rule 7: Cross-namespace secret access. Alert when a principal in namespace A reads a secret in namespace B. Kubernetes RBAC can prevent this if properly configured -- but audit log detection catches cases where RBAC misconfiguration allows cross-namespace access. Filter: verb = "get" AND objectRef.resource = "secrets" AND user namespace != objectRef.namespace (where the user's service account namespace is derivable from the username pattern system:serviceaccount:namespace:name).

Rule 8: Workload identity modification of RBAC at cluster scope. Alert when a ClusterRole or ClusterRoleBinding is modified by a principal whose username starts with system:serviceaccount: (a service account rather than a human user or CI/CD system). Service accounts modifying cluster-level RBAC is almost always malicious -- it is the pattern of an attacker who has compromised a pod and is attempting to escalate privileges.

Tuning Out Noise: Common Sources of False Positives

Raw Kubernetes audit log detection rules fire on legitimate activity if not tuned. The most common false positive sources and how to address each:

CI/CD service accounts. Deployment pipelines run as service accounts with elevated permissions that perform create, update, and delete operations at high frequency. Exclude known CI/CD service account names (e.g., system:serviceaccount:ci:jenkins) from most detection rules, or create a separate detection profile for CI/CD activity with a higher threshold for alert triggering.

Cluster autoscalers and node management. The cluster autoscaler, node provisioners, and managed node group controllers create and delete pods and modify resource limits at scale. Their service account identities should be identified and excluded from pod creation and deletion rules.

Monitoring and observability agents. Prometheus, Datadog, and similar monitoring agents list pods and secrets at high frequency. The list verb on pods and configmaps at high frequency is legitimate monitoring traffic. Tune the secret enumeration rule to target get (reading specific secrets by name) rather than list (listing all secrets in a namespace) if monitoring agents are causing false positives.

Namespace-scoped Helm releases. Helm stores release state in secrets (in newer Helm versions) or configmaps. A Helm upgrade operation reads and writes multiple secrets in rapid succession. If Helm is used extensively, tune the secret enumeration rule to exclude the Helm service account principal and secrets with names matching the sh.helm.release.v1.* pattern.

Threat Hunting With Kubernetes Audit Logs

Beyond alerting on known-bad patterns, Kubernetes audit logs support proactive threat hunting -- querying historical data to find patterns of activity that a detection rule may not have been in place to catch.

Hunt 1: Historical anonymous access. Query the last 30 days of audit logs for user.username = "system:anonymous". Even if anonymous auth is now disabled, historical anonymous access may indicate a period when the cluster was reachable without authentication.

Hunt 2: Unusual user agents. The userAgent field in audit logs records the tool that made the API request (kubectl/1.28, kube-controller-manager, helm/3.12). Automated attacker tools have recognizable user agents. Query for user agents that do not match your known set: userAgent NOT IN ["kubectl/1.28*", "helm/3.12*", "kubelet*", "kube-controller-manager*"]. Unusual user agents warrant investigation regardless of what resource they accessed.

Hunt 3: Source IP anomalies. Query for API server requests from sourceIPs outside your known cluster IP ranges (pod CIDR, service CIDR, known jump host IPs, CI/CD runner IPs). An API server request from an IP outside these ranges may indicate direct API server access from outside the cluster -- a sign that either the API server is exposed to the internet or a pod has unusual external connectivity.

Hunt 4: High-privilege operations in unusual hours. Query for ClusterRoleBinding creation, secret writes, and pod exec events that occurred outside business hours. While legitimate operations can occur at any time, attackers who have persistent access tend to operate during off-hours when SOC coverage may be lower. Compare high-privilege operations in the last 30 days against the typical distribution by hour of day.

Maintaining Detection Coverage as the Cluster Evolves

Kubernetes audit log detection coverage degrades over time if not actively maintained: new namespaces are added that detection rules need to cover, new service accounts are created that should be excluded from CI/CD filters, and cluster upgrades can change how certain operations appear in the audit log.

Three maintenance practices keep detection effective:

Namespace-aware rule updates. When a new production namespace is created, update namespace-scoped detection rules to include it. Keep a registry of namespaces that should be covered by each detection rule and review it quarterly against the current cluster namespace list.

Service account allowlist management. Maintain an explicit allowlist of service account identities that are excluded from detection rules (CI/CD, autoscalers, monitoring agents). Review the allowlist quarterly to remove service accounts that have been decommissioned and add new infrastructure service accounts that have been provisioned.

Audit policy coverage review. When a new resource type or API version is introduced in a cluster upgrade, review whether the audit policy covers it at the appropriate level. Kubernetes GA resources that should be audited at RequestResponse but are not in the audit policy represent detection gaps. Review the audit policy against the cluster's supported API resources (kubectl api-resources) annually.

The bottom line

Kubernetes API server audit logs are the most comprehensive source of control plane activity in a cluster, recording every principal, every resource access, and every configuration change. Most clusters enable audit logging but do not build detection logic on top of it -- leaving the data as a forensic resource rather than an active detection layer. The eight detection rules for secret enumeration, privilege escalation via role binding, exec into containers, privileged pod creation, cluster admin modification, service account token creation, cross-namespace access, and anonymous API access cover the majority of Kubernetes attack patterns visible from the audit log. Tune out known CI/CD and monitoring service accounts as false positive sources. Supplement real-time detection with quarterly threat hunts on historical data for anonymous access, unusual user agents, external source IPs, and off-hours privilege escalation.

Frequently asked questions

What are Kubernetes API server audit logs?

Kubernetes API server audit logs record every request to the Kubernetes API server -- the control plane for all cluster operations. Each log entry includes the requesting principal (user.username), the operation verb (get, list, create, patch, delete), the resource type (pods, secrets, rolebindings), the namespace, the response status code, and source IPs. They are configured via an audit policy file that maps resource types and verbs to audit levels (None, Metadata, Request, or RequestResponse). In managed Kubernetes environments (EKS, GKE, AKS), audit logging is enabled through the cloud provider's cluster configuration.

Which Kubernetes resources should be logged at the RequestResponse audit level?

Log at RequestResponse (full request and response body) for: secrets (all verbs -- you need the response body to detect mass enumeration), rolebindings and clusterrolebindings (create, update, patch, delete -- privilege escalation via role binding), pods/exec and pods/attach (create -- exec into running containers), pods with privileged security context (create), and serviceaccounts/token (create -- service account token generation). Log other pod operations and configmap operations at Metadata level. Exclude events (watch), pods/log (get), and health check endpoints from audit logging entirely to manage log volume.

What are the most important Kubernetes attack patterns to detect with audit logs?

Eight patterns cover the majority of Kubernetes attack activity: secret enumeration (10+ get requests on secrets in 5 minutes), ClusterRoleBinding creation granting cluster-admin (always a true positive in most environments), exec into a production container (especially by service account principals), privileged pod creation (securityContext.privileged=true or hostPID/hostNetwork=true), service account token creation by non-CI/CD principals, anonymous API server authentication (user.username=system:anonymous), cross-namespace secret access, and service account modification of cluster-level RBAC.

How do I reduce false positives in Kubernetes audit log detection rules?

Four common false positive sources and mitigations: CI/CD service accounts (exclude known CI/CD service account identities from most rules, or use higher thresholds for CI/CD activity), cluster autoscalers and node management controllers (identify and exclude their service account identities from pod creation rules), monitoring agents like Prometheus or Datadog (tune secret enumeration rules to target `get` specific secrets rather than `list`, or exclude monitoring agent service accounts), and Helm releases (exclude the Helm service account principal from secret enumeration rules and filter secrets matching the sh.helm.release.v1.* name pattern).

How do I enable Kubernetes audit logging in EKS, GKE, and AKS?

In AWS EKS: enable control plane logging (API, audit, authenticator, controllerManager, scheduler) in the EKS cluster configuration via the AWS console or CLI. Logs appear in CloudWatch Logs under /aws/eks/cluster-name/cluster. In Google GKE: enable Cloud Audit Logs for the Kubernetes Engine API in the project's IAM and Admin > Audit Logs settings. Logs appear in Cloud Logging under cloudaudit.googleapis.com/activity. In Azure AKS: enable diagnostic settings on the AKS cluster resource to export kube-audit and kube-audit-admin log categories to a Log Analytics Workspace.

What Kubernetes audit log events should I threat hunt on proactively?

Four high-value hunts on historical audit log data: anonymous API access (user.username=system:anonymous -- query 30 days of historical data even if anonymous auth is now disabled), unusual user agents (API requests with userAgent values not matching your known tool set of kubectl, helm, kubelet, kube-controller-manager), source IP anomalies (API server requests from IPs outside your pod CIDR, service CIDR, and known jump host IPs), and off-hours high-privilege operations (ClusterRoleBinding creation, secret writes, pod exec events outside business hours correlated against the typical hour-of-day distribution).

What detection gap does Kubernetes audit log monitoring fill that runtime security tools like Falco don't?

Runtime security tools (Falco, Tetragon, Aqua) detect events at the kernel system call and container layer: file access patterns, network connections from containers, process execution inside pods. Kubernetes audit logs detect control plane events: who changed what RBAC binding, which service account was granted which permission, which user listed all secrets in the cluster. These are different layers with complementary visibility. An attacker who modifies a ClusterRoleBinding to escalate privileges leaves no runtime security signal (the operation is a legitimate Kubernetes API call), but leaves a clear audit log event. Together, the two layers provide comprehensive detection coverage.

Sources & references

  1. Kubernetes: Auditing Documentation
  2. CISA: Kubernetes Hardening Guidance NSA/CISA
  3. MITRE ATT&CK for Containers
  4. Falco: Kubernetes Runtime Security
  5. Sysdig: Kubernetes Security Best Practices

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.