Manage ServiceAccounts cluster-wide
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1067 |
| Name | Manage ServiceAccounts cluster-wide |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | serviceaccounts |
| Verbs | create, update, patch, delete |
| Tags | IdentityManagement PotentialPrivilegeEscalation Tampering |
Description
Allows creating, updating, or deleting ServiceAccounts in any namespace. This can be used to create SAs, then bind them to privileged roles (if other RBAC permissions allow), or modify existing SAs, potentially interfering with workload identities.
Abuse Scenarios
- Create a new ServiceAccount in any namespace.
kubectl create serviceaccount <new-sa-name> -n <namespace>
# Example: kubectl create serviceaccount backdoor-sa -n kube-system
- Delete an existing ServiceAccount, potentially disrupting workloads.
kubectl delete serviceaccount <serviceaccount-name> -n <namespace>
# Example: kubectl delete serviceaccount default -n default