Exceptional Requests of K8s APIs

Last updated: 2024-08-13 17:10:53

Last updated: 2024-08-13 17:10:53

Supports real-time monitoring of exceptional request behaviors of cluster APIs, and includes system policies and user-defined rules.
System Policy: Based on Tencent Cloud's security technology and multi-dimensional methods, it monitors exceptional request behaviors of cluster APIs through nine types of rules, including anonymous access, exceptional UA requests, anonymous permission change, credential acquisition, sensitive path mounts, command execution, exceptional scheduled task, static pod creation, and suspicious containers creation.
User-defined Rules: Supports custom exceptional request fields and specific effective ranges of K8s APIs, making it more flexible to meet actual business needs.
Event List
Log in to the TCSS console. In the left sidebar, click Advanced Prevention > Abnormal K8s API requests, and by default, you will enter the event list page.
Security Status and Events Trend
For the security status, the pending exceptional request events of K8s APIs and the number of security events counted by high, medium, low, and note risks will be collected according to the security events reported by the system.
﻿
For the events trend, the security events trend over the past seven days will be collected based on the hit system rules and custom rules according to the security events reported by the system.
﻿
Event List
You can select the Last Occurred to view security events, or retrieve related events by cluster name or cluster ID. The fields in the event list include:
Field Name
Field Details
Hit Rules
Nine system rules and user-defined rules, including anonymous access, exceptional UA requests, anonymous permission change, credential acquisition, sensitive path mounts, command execution, exceptional scheduled task, static pod creation, and suspicious containers creation.
Rule Type
System rules, and user-defined rules
Threat Level
High, medium, low, and note
Cluster Name/ID/Running Status
Display the cluster name, cluster ID, and cluster running status impacted by the security events.
First Occurred
The time when this security event first occurred.
Last Occurred
The time when this security event most recently occurred.
Alarms
The system aggregates pending security events by cluster name, cluster ID, hit rules, and request logs. And the system displays them with an aggregation cycle of every day.
Status
Pending, processed, ignored, and allowlisted
Operation
Click details to view event details.
Viewing Details
In the event list, click details to view event details. Details include event details, cluster name/ID, cluster runtime components, risk description, recommended solution, exceptional request information, and JSON logs.
﻿
Processing the Event
1. In the event list, click Process. You can select to mark the event as processed, add it to the allowlist, ignore it, or delete the records. Click Confirm.
2. In the secondary confirmation window, perform the following actions:
Mark as processed: It is recommended to process the event risk by following the solutions in the event details, and click OK. After processing, you can mark the event as processed.
Add to the allowlist: Configure relevant parameters, and click OK.
Note:
If you confirm that the K8s APIs request is a normal behavior, you can add it to the allowlist allow rules. Subsequent occurrences of this request will then be allowed to pass through without triggering alarms. Proceed with caution.
When users add to the allowlist, the system will automatically fill in the fields that trigger alarms and the cluster based on the source event. If needed, you can manually adjust the effective fields and effective cluster range of the allowlist.
﻿
Ignore: Click OK to ignore only the selected events. Alarms will still be triggered if the same events occur again.
Delete log: Click OK, the selected event record will be deleted. It will no longer be displayed in the console, and cannot be recovered. Proceed with caution.
Rule Configuration
Log in to the TCSS console. In the left sidebar, click Advanced Prevention > Abnormal K8s API Requests > Rule configuration to enter the rule configuration page.
System Rules
On the rule configuration page, enable or disable system rules and custom rules. Click Rule name to view all types of system rules, as shown in the figure below. Users can also disable certain types of system rules through this page.
﻿
Custom Rules
In addition to the system rules provided by the TCSS products, users can also create custom rules.
On the rule configuration page, click Create rule, configure the relevant parameters, and click Save.
﻿
Field Name
Field Details
Basic Configuration
Includes the name of custom rules and the switch for enabling or disabling the rules.
Rule Configuration
﻿
Configure the fields for alarms and allowlisting in this section. When configuring alarm fields, you also need to concurrently configure the threat level for the rules.
When there are multiple configuration items, click Add rule at the bottom.
To configure the specific content of a rule, click Edit in the matching range column. Rule configuration supports regular expressions.
Effective Range
Users can select the custom effective cluster range for configuration rules.
Note:Only one custom rule can be bound to the same cluster. If multiple detection rules need to be configured for one cluster, it is recommended to edit and add them within the same rule.
TKE K8s Cluster Enabling the Audit Process
When the audit feature of the cluster is not enabled, the audit logs of the K8s APIs cannot be collected for risk detection.
Note:
After the cluster audit is enabled, CLS will bill according to your actual usage. For billing standards, see the CLS billing overview.
1. On the TKE console's Operation and Maintenance Feature Management Page, select the cluster for which you need to enable auditing, and click Set.
﻿
2. On the feature setting page, click Edit of the Cluster Auditing feature.
﻿
3. Check Enable Cluster Auditing, and click Confirm.
﻿
﻿
﻿
﻿
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Field Name	Field Details
Hit Rules	Nine system rules and user-defined rules, including anonymous access, exceptional UA requests, anonymous permission change, credential acquisition, sensitive path mounts, command execution, exceptional scheduled task, static pod creation, and suspicious containers creation.
Rule Type	System rules, and user-defined rules
Threat Level	High, medium, low, and note
Cluster Name/ID/Running Status	Display the cluster name, cluster ID, and cluster running status impacted by the security events.
First Occurred	The time when this security event first occurred.
Last Occurred	The time when this security event most recently occurred.
Alarms	The system aggregates pending security events by cluster name, cluster ID, hit rules, and request logs. And the system displays them with an aggregation cycle of every day.
Status	Pending, processed, ignored, and allowlisted
Operation	Click details to view event details.

Field Name	Field Details
Basic Configuration	Includes the name of custom rules and the switch for enabling or disabling the rules.
Rule Configuration	Configure the fields for alarms and allowlisting in this section. When configuring alarm fields, you also need to concurrently configure the threat level for the rules. When there are multiple configuration items, click Add rule at the bottom. To configure the specific content of a rule, click Edit in the matching range column. Rule configuration supports regular expressions.
Effective Range	Users can select the custom effective cluster range for configuration rules. Note:Only one custom rule can be bound to the same cluster. If multiple detection rules need to be configured for one cluster, it is recommended to edit and add them within the same rule.

tencent cloud

Event List

Security Status and Events Trend

Event List

Viewing Details

Processing the Event

Rule Configuration

System Rules

Custom Rules

TKE K8s Cluster Enabling the Audit Process