Approve CertificateSigningRequests
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1052 |
| Name | Approve CertificateSigningRequests |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | certificates.k8s.io |
| Resources | certificatesigningrequests/approval |
| Risky Verb Combinations | [update] · [patch] |
| Tags | CSRApproval ClusterAdminAccess PrivilegeEscalation Spoofing |
Description
Grants the ability to approve CertificateSigningRequests (CSRs). This is extremely critical as approving a CSR for a user or group with high privileges (e.g., system:masters group) allows an attacker to mint a client certificate that grants them those privileges, leading to full cluster compromise.
Abuse Scenarios
- Approve a pending CertificateSigningRequest.
kubectl certificate approve <csr-name>
# Example: kubectl certificate approve my-user-csr