LoFP LoFP / gitops and platform controllers (cert-manager, gatekeeper, kyverno, service mesh) legitimately manage webhooks. validate change tickets and controller identities before tuning.

Techniques

Sample rules

GKE Admission Webhook Created or Modified

Description

Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.

Detection logic

data_stream.dataset:gcp.audit and event.outcome:success and event.action:(
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch"
) and not user.email:(
  "system:kube-controller-manager" or "system:kube-scheduler" or system\:serviceaccount\:kube-system\:* or
  system\:serviceaccount\:gke-managed-system\:* or system\:serviceaccount\:cert-manager\:* or
  system\:serviceaccount\:gatekeeper-system\:* or system\:serviceaccount\:kyverno\:* or "system:addon-manager" or
  *-operator or *-cainjector or *-webhook or *argocd* or "system:gke-common-webhooks"
)