Verb get
, list
and watch
disclose the contents
Be very careful when allowing access to secrets
New pods can use existing service accounts
Pods obtain permissions of service accounts… even without pods/exec
Verb patch
on namespace allows changing labels …
…and disabling of pod security admission as well as network policies
Allows changing (Cluster)Roles
```yaml [7-8] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: escalate rules:
Allows creating (Cluster)RoleBindings
to (Cluster)Roles
```yaml [8-12] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:
Verb impersonate
on ServiceAccount
allows impersonating
```yaml [8-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: impersonate rules:
Wildcard *
for verb allows escalate
, bind
and impersonate
as well
```yaml [10-11] apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bind rules:
Avoid wildcards whenever possible