Excessive permissions to escalate roles

ID

rbac_escalate_role

Severity

low

Vendor

Kubernetes

Resource

RBAC

Tags

reachable

Description

Kubernetes RBAC is a key security control to ensure that cluster users and workloads have only the access to resources required to execute their roles.

Generally, the RBAC system prevents users from creating ClusterRoles with more rights than the user’s. The exception to this is the escalate verb: users with this right can effectively escalate their privileges.

Such Roles and ClusterRoles can add arbitrary permissions to arbitrary identities. Escalating Roles can add permissions over a namespace, while escalating ClusterRoles can add permissions over the entire cluster.

Learn more about this topic at Kubernetes RBAC - privilege escalation risks.

Examples

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bad
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles"]
    verbs: ["get"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles"]
    verbs: ["escalate"] (1)
1 Use of escalate verb over ClusterRoles.

Mitigation / Fix

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: good (1)
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles"]
    verbs: ["get"]
1 Excessive permission removed.