Kubernetes Client Certificate Signing Request Created or Approved

Last updated 10 days ago on 2026-05-05

Created 10 days ago on 2026-05-05

About

Detects creation or approval of a Kubernetes CertificateSigningRequest (CSR) by a non-system identity. Attackers who have gained cluster access can submit a CSR with a privileged Common Name such as system:kube-controller-manager or system:masters, then approve it themselves to obtain a long-lived client certificate. Unlike service account tokens which expire in hours, client certificates persist until they expire or the cluster CA is rotated, providing durable access that survives pod termination, token revocation, and RBAC changes. On non-EKS clusters, the signed certificate allows the attacker to authenticate as the privileged identity from anywhere without needing cluster network access, making it one of the most persistent backdoor mechanisms available in Kubernetes.

Tags

Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: PersistenceTactic: Privilege EscalationLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples

Approved certificate workflows (for example cert-manager, internal PKI rotation, or node bootstrap) may create or update CSRs from identities not in the exclusion list if they run under a custom service account. Baseline automation that legitimately approves CSRs and tune exclusions for those principals.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-kubernetes.audit_logs-*
Related Integrations: kubernetes(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"certificatesigningrequests" and
kubernetes.audit.verb:("create" or "update" or "patch") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:(
  system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:node\:* or
  system\:serviceaccount\:kube-system\:* or
  eks\:* or aksService
)

Install detection rules in Elastic Security

Detect Kubernetes Client Certificate Signing Request Created or Approved in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).