Create SubjectAccessReviews (check arbitrary permissions)
Information Disclosure
Medium
Overview
| Field | Value |
|---|---|
| ID | 1050 |
| Name | Create SubjectAccessReviews (check arbitrary permissions) |
| Risk Category | Information Disclosure |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | authorization.k8s.io |
| Resources | subjectaccessreviews |
| Risky Verb Combinations | [create] |
| Tags | InformationDisclosure RBACQuery |
Description
Permits submitting SubjectAccessReview requests to check if an arbitrary user, group, or service account has specific permissions cluster-wide. This can be used for reconnaissance to understand the RBAC configuration and identify potential privilege escalation paths.
Abuse Scenarios
- Check if a specific service account can create pods in any namespace.
kubectl auth can-i create pods --as=system:serviceaccount:<namespace>:<serviceaccount-name> --all-namespaces
# Example: kubectl auth can-i create pods --as=system:serviceaccount:kube-system:default --all-namespaces
- Check if a specific user can delete nodes.
kubectl auth can-i delete nodes --as=user:<username>
# Example: kubectl auth can-i delete nodes --as=admin