Manage Roles in a namespace (create, update, patch, delete)
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1029 |
| Name | Manage Roles in a namespace (create, update, patch, delete) |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | rbac.authorization.k8s.io |
| Resources | roles |
| Verbs | create, update, patch, delete |
| Tags | PrivilegeEscalation RBACManipulation |
Description
Grants permission to create, modify, or delete Roles within a specific namespace. This allows an attacker to define or alter namespaced permissions, potentially granting themselves elevated access to resources within that namespace.
Abuse Scenarios
- Create a new Role with full permissions within the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pwned-namespace-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Delete an existing Role, potentially disrupting application permissions.
kubectl delete role <role-name> -n <namespace>
# Example: kubectl delete role pod-reader -n default