Manage ClusterRoles (create, update, patch, delete)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1027 |
| Name | Manage ClusterRoles (create, update, patch, delete) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | rbac.authorization.k8s.io |
| Resources | clusterroles |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] |
| Tags | ClusterAdminAccess PrivilegeEscalation RBACManipulation |
Description
Allows creating, modifying, or deleting ClusterRoles. This grants the ability to define or alter cluster-wide permissions, enabling an attacker to grant themselves or others arbitrary privileges, including full cluster admin access, leading to complete cluster compromise.
Abuse Scenarios
- Create a new ClusterRole with cluster-admin privileges.
kubectl create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pwned-cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete a critical ClusterRole, potentially breaking cluster functionality.
kubectl delete clusterrole <clusterrole-name>
# Example: kubectl delete clusterrole system:controller-manager