Security Rules

A comprehensive list of security rules for Kubernetes RBAC configurations. Each rule identifies potential security risks.

Rule IDCategoryNameRisk Level
1000Elevation of PrivilegeCluster-wide pod exec Critical
1001Elevation of PrivilegeNamespaced pod exec High
1002Elevation of PrivilegeCluster-wide pod attach Critical
1003Elevation of PrivilegeNamespaced pod attach High
1004Information DisclosureCluster-wide pod port-forward High
1005Information DisclosureNamespaced pod port-forward Medium
1006Elevation of PrivilegeCreate pods cluster-wide Critical
1007Elevation of PrivilegeCreate pods in a namespace High
1008Elevation of PrivilegeUpdate/Patch pods cluster-wide Critical
1009Elevation of PrivilegeUpdate/Patch pods in a namespace High
1010Information DisclosureRead secrets cluster-wide Critical
1011Information DisclosureRead secrets in a namespace Critical
1012TamperingModify secrets cluster-wide Critical
1013TamperingModify secrets in a namespace Critical
1014Elevation of PrivilegeNode proxy access (Kubelet API) Critical
1015Elevation of PrivilegeModify node configuration (labels, taints) Critical
1016Denial of ServiceDelete nodes Critical
1017TamperingManage PersistentVolumes (cluster-wide storage manipulation) Critical
1018Information DisclosureRead pod logs cluster-wide High
1019Information DisclosureRead pod logs in a namespace Medium
1020Elevation of PrivilegeManage ephemeral containers cluster-wide Critical
1021Elevation of PrivilegeManage ephemeral containers in a namespace High
1022Information DisclosureRead ConfigMaps cluster-wide High
1023Information DisclosureRead ConfigMaps in a namespace Medium
1024TamperingModify ConfigMaps cluster-wide Critical
1025TamperingModify ConfigMaps in a namespace High
1026Denial of ServiceDelete namespaces High
1027Elevation of PrivilegeManage ClusterRoles (create, update, patch, delete) Critical
1028Elevation of PrivilegeManage ClusterRoleBindings (create, update, patch, delete) Critical
1029Elevation of PrivilegeManage Roles in a namespace (create, update, patch, delete) High
1030Elevation of PrivilegeManage RoleBindings in a namespace (create, update, patch, delete) High
1031Elevation of PrivilegeEscalate privileges via ClusterRoles (escalate verb) Critical
1032Elevation of PrivilegeBind ClusterRoles to identities (bind verb) Critical
1033Elevation of PrivilegeManage Deployments cluster-wide (potential for privileged pod execution) Critical
1034Elevation of PrivilegeManage Deployments in a namespace (potential for privileged pod execution) High
1035Elevation of PrivilegeManage DaemonSets cluster-wide (runs on all nodes, high impact) Critical
1036Elevation of PrivilegeManage DaemonSets in a namespace (runs on nodes, high impact) Critical
1037Elevation of PrivilegeManage StatefulSets cluster-wide Critical
1038Elevation of PrivilegeManage StatefulSets in a namespace High
1039Elevation of PrivilegeManage CronJobs cluster-wide (scheduled privileged execution, persistence) Critical
1040Elevation of PrivilegeManage CronJobs in a namespace (scheduled privileged execution, persistence) High
1041Elevation of PrivilegeManage Jobs cluster-wide (one-off privileged execution) Critical
1042Elevation of PrivilegeManage Jobs in a namespace (one-off privileged execution) High
1043TamperingManage MutatingWebhookConfigurations Critical
1044TamperingManage ValidatingWebhookConfigurations Critical
1045TamperingManage CustomResourceDefinitions Critical
1046TamperingManage APIServices Critical
1047SpoofingCreate ServiceAccount Tokens Critical
1048SpoofingCreate ServiceAccount Tokens (ClusterRole for any SA in any namespace) Critical
1049Information DisclosureCreate TokenReviews (validate arbitrary tokens) Medium
1050Information DisclosureCreate SubjectAccessReviews (check arbitrary permissions) Medium
1051Information DisclosureCreate LocalSubjectAccessReviews (check permissions in a namespace) Low
1052Elevation of PrivilegeApprove CertificateSigningRequests Critical
1053SpoofingCreate CertificateSigningRequests Medium
1054Information DisclosureManage (get, list, watch, delete) CertificateSigningRequests Medium
1055Elevation of PrivilegeManage CSIDrivers (potential node compromise) Critical
1056TamperingManage StorageClasses High
1057Denial of ServiceEvict Pods cluster-wide Medium
1058Denial of ServiceEvict Pods in a namespace Medium
1059Elevation of PrivilegeManage RuntimeClasses Critical
1060Elevation of PrivilegeWildcard permission on all resources cluster-wide (Cluster Admin) Critical
1061Elevation of PrivilegeWildcard permission on all resources in a namespace (Namespace Admin) Critical
1062SpoofingManage ClusterIssuers (cert-manager.io) Critical
1063TamperingManage ArgoCD Applications (argoproj.io) Critical
1064NetworkManipulationManage Cilium ClusterwideNetworkPolicies (cilium.io) Critical
1065Information DisclosureManage ETCDSnapshotFiles (k3s.cattle.io) Critical
1066Elevation of PrivilegeImpersonate users, groups, or service accounts (cluster-wide) Critical
1067Elevation of PrivilegeManage ServiceAccounts cluster-wide High
1068Elevation of PrivilegeManage ServiceAccounts in a namespace Medium
1069TamperingPatch node status cluster-wide High
1070Information DisclosureRead events cluster-wide Medium
1071NetworkManipulationManage NetworkPolicies cluster-wide Critical
1072NetworkManipulationManage NetworkPolicies in a namespace High
1073NetworkManipulationManage Endpoints or EndpointSlices cluster-wide Critical
1074NetworkManipulationManage Endpoints or EndpointSlices in a namespace High
1075NetworkManipulationManage Services cluster-wide Critical
1076NetworkManipulationManage Services in a namespace High
1077Information DisclosureRead RBAC configuration cluster-wide Medium
1078Elevation of PrivilegeUse privileged PodSecurityPolicy (deprecated) Critical
1079Denial of ServiceManage PodDisruptionBudgets cluster-wide Medium
1080TamperingManage Leases cluster-wide Critical
1081TamperingManage Leases in kube-system or kube-node-lease namespace Critical
1082Information DisclosureList Namespaces (Cluster Reconnaissance) Low
1083Information DisclosureList ValidatingWebhookConfigurations (Reconnaissance) Medium
1084Information DisclosureList MutatingWebhookConfigurations (Reconnaissance) Medium
1085TamperingCreate/Update ControllerRevisions (Potential Tampering) Medium
1086Information DisclosureCreate SelfSubjectRulesReviews (Discover Own Permissions) Low
1087Information DisclosureRead LimitRanges (Namespace Information Disclosure) Low
1088Information DisclosureRead ResourceQuotas (Namespace Information Disclosure) Low
1089Information DisclosureRead All ResourceQuotas (Cluster-wide Information Disclosure) Medium
1090TamperingUpdate CertificateSigningRequest Status (Tampering/DoS) Medium
1091NetworkManipulationManage Ingresses (Namespace Service Exposure/Traffic Redirection) High
1092NetworkManipulationManage IngressClasses (Cluster-wide Traffic Control Tampering) Critical
1093TamperingUpdate NetworkPolicy Status (Cluster-wide Tampering) Medium
1094TamperingUpdate PodDisruptionBudget Status (Namespace Tampering/DoS) Medium
1095Information DisclosureRead ComponentStatuses (Control Plane Reconnaissance) Medium
1096Denial of ServiceUpdate Deployment Scale (Resource Abuse/DoS) High
1097Denial of ServiceUpdate StatefulSet Scale (Resource Abuse/DoS) High
1098Denial of ServiceManage FlowSchemas (API Server DoS/Manipulation) Critical
1099Denial of ServiceManage PriorityLevelConfigurations (API Server DoS/Manipulation) Critical
1100Information DisclosureRead CSINode Objects (Node & Storage Reconnaissance) Medium
1101Information DisclosureRead CSIStorageCapacities (Namespace Storage Reconnaissance) Low
1102TamperingManage VolumeAttachments (Cluster-wide Storage/Node Manipulation) Critical
1103Information DisclosureWatch All Resources in a Namespace (Broad Information Disclosure) High