RBAC Risks

RBAC Risks

Secrets

Verb get, list and watch disclose the contents

Be very careful when allowing access to secrets

Workload creation

New pods can use existing service accounts

Pods obtain permissions of service accounts …even without pods/exec

Namespace modification

Verb patch on namespace allows changing labels …

…and disabling of pod security admission as well as network policies

RBAC Risks

Escalate verb

Allows changing (Cluster)Roles

```yaml [8-12] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: escalate rules:

• apiGroups:
  • “rbac.authorization.k8s.io” resources:
  • clusterroles
  • roles verbs:
  • escalate ```

Full example

RBAC Risks

Bind verb

Allows creating (Cluster)RoleBindings (Cluster)Roles

```yaml [8-12] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:

• apiGroups:
  • “rbac.authorization.k8s.io” resources:
  • clusterroles
  • roles verbs:
  • bind ```

Full example

RBAC Risks

Impersonate verb

Verb impersonate on service accounts allows impersonating

```yaml [8-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: impersonate rules:

• apiGroups:
  • ”” resources:
  • serviceaccounts verbs:
  • impersonate ```

Full example

RBAC Risks

Verbs

Wildcard * for verb allows escalate, bind and impersonate as well

```yaml [10-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:

• apiGroups:
  • “*” resources:
  • “*” verbs:
  • “*” ```

Do not use wildcards at all