Create LocalSubjectAccessReviews (check permissions in a namespace)
Information Disclosure
Low
Overview
| Field | Value |
|---|---|
| ID | 1051 |
| Name | Create LocalSubjectAccessReviews (check permissions in a namespace) |
| Risk Category | Information Disclosure |
| Risk Level | Low |
| Role Type | Role |
| API Groups | authorization.k8s.io |
| Resources | localsubjectaccessreviews |
| Risky Verb Combinations | [create] |
| Tags | InformationDisclosure RBACQuery |
Description
Allows submitting LocalSubjectAccessReview requests to check if an arbitrary user, group, or service account has specific permissions within a particular namespace. This aids in reconnaissance of RBAC permissions within a limited scope.
Abuse Scenarios
- Check if a specific service account can get secrets in a given namespace.
kubectl auth can-i get secrets -n <namespace> --as=system:serviceaccount:<namespace>:<serviceaccount-name>
# Example: kubectl auth can-i get secrets -n production --as=system:serviceaccount:production:my-app-sa
- Check if a specific user can update deployments in a given namespace.
kubectl auth can-i update deployments -n <namespace> --as=user:<username>
# Example: kubectl auth can-i update deployments -n default --as=dev-user