Impersonate users, groups, or service accounts (cluster-wide)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1066 |
| Name | Impersonate users, groups, or service accounts (cluster-wide) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | users, groups, serviceaccounts, userextras, uids |
| Verbs | impersonate |
| Tags | ClusterAdminAccess Impersonation PrivilegeEscalation Spoofing |
Description
Allows impersonating any user, group, or service account across the entire cluster via impersonation headers. This can be used to escalate privileges to the level of the impersonated identity, potentially gaining cluster-admin access.
Abuse Scenarios
- Impersonate a service account to list secrets in kube-system.
kubectl get secrets -n kube-system --as=system:serviceaccount:kube-system:default
# Example: kubectl get secrets -n kube-system --as=system:serviceaccount:kube-system:kube-controller-manager
- Impersonate a user in the ‘system:masters’ group to gain cluster-admin.
kubectl get nodes --as=admin --as-group=system:masters
# Example: kubectl get nodes --as=pwned-admin --as-group=system:masters