Wildcard permission on all resources cluster-wide (Cluster Admin)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1060 |
| Name | Wildcard permission on all resources cluster-wide (Cluster Admin) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | * |
| Resources | * |
| Verbs | * |
| Tags | ClusterAdminAccess DenialOfService InformationDisclosure PrivilegeEscalation Spoofing (+2 more) |
Description
Grants unrestricted, wildcard (’*’) access to all API groups, resources, and verbs across the entire cluster. This is equivalent to full cluster administrator privileges, allowing complete control and compromise of the Kubernetes cluster.
Abuse Scenarios
- List all resources across all namespaces (demonstrates broad read access).
kubectl get all --all-namespaces
- Create a privileged pod with full host access (demonstrates full control).
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: cluster-admin-pod
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: /
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF