Kubernetes Config Credential
Detects embedded credentials inside a Kubernetes kubeconfig file - base64 client certificate / key data blocks and inline bearer tokens. A leaked kubeconfig grants cluster access at the scope of the embedded identity.
- Type
- regex
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: the kubeconfig credential keys are distinctive, but base64 blocks and token fields appear in other contexts, so corroborative kubeconfig/kubernetes evidence is recommended.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?i)(?<![A-Za-z0-9-])(?:client-certificate-data|client-key-data)\s*:\s*[A-Za-z0-9+/]{40,}={0,2}Corroborative evidence keywords
kubeconfig, kubernetes, apiVersion, clusters, current-context, kubectl, certificate-authority-data
Proximity: 300 characters
Should match
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2ekNDQVdXZ0F3SUJBZ0lVCg==— kubeconfig client certificate data (base64 PEM block)client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVB— kubeconfig client key data (base64 private key block)users: - name: admin user: client-certificate-data: QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVowMTIzNDU2Nzg5YWJjZGVm— client-certificate-data inside a users block
Should not match
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t— CA data field is not a private credential (public cert)client-certificate-data: short— Value too short to be a base64 credential blockconfigure client-certificate-data in your kubeconfig before connecting— Prose mention without an embedded value
Known false positives
- Public certificate-authority-data or other long base64 blobs near the trigger keys. Mitigation: Require corroborative kubeconfig/kubernetes keywords and exclude the public certificate-authority-data field.