Escalate privileges via ClusterRoles (escalate verb)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1031 |
| Name | Escalate privileges via ClusterRoles (escalate verb) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | rbac.authorization.k8s.io |
| Resources | clusterroles |
| Risky Verb Combinations | [escalate] |
| Tags | ClusterAdminAccess PrivilegeEscalation RBACManipulation |
Description
Permits using the ’escalate’ verb on ClusterRoles (or Roles). This allows a user to create or update a role with more permissions than they currently possess, up to the permissions defined in the role they are escalating, leading to direct privilege escalation.
Abuse Scenarios
- Create a new ClusterRole with elevated permissions (e.g., ‘create pods’) that the current user doesn’t directly have, leveraging the ’escalate’ permission.
# This command will succeed if the user has 'escalate' on 'clusterroles',
# even if they don't have 'create pods' directly.
kubectl create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: elevated-pod-creator
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create"]
EOF
# Example: kubectl create -f - <<EOF ... EOF