RBAC Risks

RBAC Risks

Secrets

Verb get, list and watch disclose the contents

Be very careful when allowing access to secrets

Workload creation

New pods can use existing service accounts

Pods obtain permissions of service accounts… even without pods/exec

Namespace modification

Verb patch on namespace allows changing labels

…and disabling of pod security admission as well as network policies


RBAC Risks

Escalate verb

Allows changing (Cluster)Roles

```yaml [7-8] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: escalate rules:

Full example


RBAC Risks

Bind verb

Allows creating (Cluster)RoleBindings to (Cluster)Roles

```yaml [8-12] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:

Full example


RBAC Risks

Impersonate verb

Verb impersonate on ServiceAccount allows impersonating

```yaml [8-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: impersonate rules:

Full example


RBAC Risks

Verbs

Wildcard * for verb allows escalate, bind and impersonate as well

```yaml [10-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:

Avoid wildcards whenever possible