Manage ClusterRoleBindings (create, update, patch, delete)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1028 |
| Name | Manage ClusterRoleBindings (create, update, patch, delete) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | rbac.authorization.k8s.io |
| Resources | clusterrolebindings |
| Verbs | create, update, patch, delete |
| Tags | BindingToPrivilegedRole ClusterAdminAccess PrivilegeEscalation RBACManipulation |
Description
Permits creating, modifying, or deleting ClusterRoleBindings. This allows an attacker to bind any user, group, or service account to any ClusterRole (including highly privileged ones like cluster-admin), effectively granting arbitrary cluster-wide permissions and leading to privilege escalation.
Abuse Scenarios
- Create a ClusterRoleBinding to grant cluster-admin to a service account.
kubectl create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pwned-cluster-admin-binding
subjects:
- kind: ServiceAccount
name: <serviceaccount-name>
namespace: <namespace>
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
# Example: kubectl create -f - <<EOF ... EOF (bind 'default' SA in 'default' namespace to cluster-admin)
- Delete a ClusterRoleBinding, revoking cluster-wide permissions.
kubectl delete clusterrolebinding <clusterrolebinding-name>
# Example: kubectl delete clusterrolebinding system:kube-controller-manager