Skip to main content

Kubernetes RBAC

Status: Final

Kubernetes Role-Based Access Control (RBAC) controls what API operations a subject (user, service account, or group) can perform on what resources. Misconfigured RBAC is the primary privilege escalation surface in Kubernetes clusters.

Core Objects

ObjectScopePurpose
RoleNamespacePermissions on namespaced resources
ClusterRoleCluster-widePermissions on cluster-scoped or all-namespace resources
RoleBindingNamespaceBinds a Role or ClusterRole to subjects in a namespace
ClusterRoleBindingCluster-wideBinds a ClusterRole to subjects cluster-wide

Dangerous Permissions

PermissionWhy Dangerous
cluster-admin ClusterRoleBindingFull cluster control — equivalent to root
get secrets in kube-systemRead service account tokens and credentials
create podsRun privileged pod → host escape
create/patch rolebindingsGrant yourself any permission
impersonateAct as any user, service account, or group
exec into podsArbitrary command execution in running containers
* (wildcard verb on any resource)Catch-all escalation
escalate verb on rolesCreate bindings with permissions exceeding your own

Common Privilege Escalation Paths

1. Has "create pods" → create privileged pod with hostPID/hostNetwork → access node → steal node credentials
2. Has "get secrets" in kube-system → steal service account tokens → escalate via higher-privileged SAs
3. Has "patch rolebindings" → add yourself to cluster-admin binding
4. Has "impersonate" → impersonate cluster-admin directly

Audit Logging

Kubernetes API server audit log records all API calls:

  • verb: get, list, create, patch, delete
  • user.username: who made the request
  • objectRef: what resource
  • responseStatus.code: HTTP response

Key events to monitor:

  • create/patch on rolebindings, clusterrolebindings
  • exec into pods (especially in kube-system)
  • Service account token creation
  • Access to secrets in sensitive namespaces
TopicLink
Kubernetes Service Accountsk8s-service-accounts
SPIFFE / SPIREspiffe-spire