Manage Roles in a namespace (create, update, patch, delete)

Overview

Field	Value
ID	1029
Name	Manage Roles in a namespace (create, update, patch, delete)
Risk Category	Elevation of Privilege
Risk Level	High
Role Type	Role
API Groups	rbac.authorization.k8s.io
Resources	roles
Risky Verb Combinations	[create] · [update] · [patch] · [delete]
Tags	PrivilegeEscalation RBACManipulation

Description

Grants permission to create, modify, or delete Roles within a specific namespace. This allows an attacker to define or alter namespaced permissions, potentially granting themselves elevated access to resources within that namespace.

Abuse Scenarios

Create a new Role with full permissions within the namespace.

kubectl create -n <namespace> -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pwned-namespace-admin
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF

Delete an existing Role, potentially disrupting application permissions.

kubectl delete role <role-name> -n <namespace>
# Example: kubectl delete role pod-reader -n default