Verb get
, list
and watch
disclose the contents
Be very careful when allowing access to secrets
New pods can use existing service accounts
Pods obtain permissions of service accounts …even without pods/exec
Verb patch
on namespace allows changing labels …
…and disabling of pod security admission as well as network policies
Allows changing (Cluster)Roles
```yaml [8-12] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: escalate rules:
Allows creating (Cluster)RoleBindings (Cluster)Roles
```yaml [8-12] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:
Verb impersonate
on service accounts allows impersonating
```yaml [8-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: impersonate rules:
Wildcard *
for verb allows escalate
, bind
and impersonate
as well
```yaml [10-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:
Do not use wildcards at all