Manage RoleBindings in a namespace (create, update, patch, delete)
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1030 |
| Name | Manage RoleBindings in a namespace (create, update, patch, delete) |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | rbac.authorization.k8s.io |
| Resources | rolebindings |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] |
| Tags | BindingToPrivilegedRole PrivilegeEscalation RBACManipulation |
Description
Allows creating, modifying, or deleting RoleBindings within a specific namespace. This enables an attacker to bind users, groups, or service accounts to Roles within that namespace. If a powerful ClusterRole is bound to a service account in the namespace, this can lead to privilege escalation.
Abuse Scenarios
- Create a RoleBinding to grant a service account full namespace admin.
kubectl create -n <namespace> -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pwned-namespace-admin-binding
subjects:
- kind: ServiceAccount
name: <serviceaccount-name>
namespace: <namespace>
roleRef:
kind: Role
name: pwned-namespace-admin # Assuming 'pwned-namespace-admin' role exists
apiGroup: rbac.authorization.k8s.io
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF (bind 'default' SA to 'pwned-namespace-admin' role)
- Delete an existing RoleBinding, revoking namespaced permissions.
kubectl delete rolebinding <rolebinding-name> -n <namespace>
# Example: kubectl delete rolebinding my-app-reader-binding -n production