Wildcard permission on all resources in a namespace (Namespace Admin)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1061 |
| Name | Wildcard permission on all resources in a namespace (Namespace Admin) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | * |
| Resources | * |
| Verbs | * |
| Tags | DenialOfService InformationDisclosure NamespaceAdmin PotentialPrivilegeEscalation Spoofing (+2 more) |
Description
Grants unrestricted, wildcard (’*’) access to all API groups, resources, and verbs within a specific namespace. This provides full administrative control over that namespace and can often be leveraged to escalate privileges to cluster-wide admin depending on the cluster configuration and installed operators.
Abuse Scenarios
- List all resources within the specific namespace.
kubectl get all -n <namespace>
# Example: kubectl get all -n production
- Create a privileged pod within the namespace (if not blocked by PSP/PSA).
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: namespace-admin-pod
spec:
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
securityContext:
privileged: true
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF