GKE Suspicious Assignment of Controller Service Account

Last updated 9 days ago on 2026-07-10
Created 9 days ago on 2026-07-10

About

Detects a request to attach a built-in kube-controller-manager service account to a pod running in the kube-system namespace on GKE. These service accounts are admin-equivalent and are not normally assigned to arbitrary pods. An attacker who can create pods in kube-system can abuse these tokens for cluster-wide privilege escalation.
Tags
Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: ExecutionTactic: Privilege EscalationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

False Positive Examples
Built-in controller service accounts are rarely assigned to running pods. False positives should be rare; allowlist documented platform automation by actor when baselined.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-gcp.audit-*
Related Integrations

gcp(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and event.action:"io.k8s.core.v1.pods.create" and gcp.audit.request.metadata.namespace:"kube-system" and gcp.audit.request.spec.serviceAccountName:( attachdetach-controller or certificate-controller or cloud-provider or clusterrole-aggregation-controller or cronjob-controller or daemon-set-controller or deployment-controller or disruption-controller or endpoint-controller or expand-controller or generic-garbage-collector or horizontal-pod-autoscaler or job-controller or namespace-controller or node-controller or persistent-volume-binder or pod-garbage-collector or pv-protection-controller or pvc-protection-controller or replicaset-controller or replication-controller or resourcequota-controller or root-ca-cert-publisher or route-controller or service-account-controller or service-controller or statefulset-controller or ttl-controller )

Install detection rules in Elastic Security

Detect GKE Suspicious Assignment of Controller Service Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).