Manage ServiceAccounts in a namespace
Elevation of Privilege
Medium
Overview
| Field | Value |
|---|---|
| ID | 1068 |
| Name | Manage ServiceAccounts in a namespace |
| Risk Category | Elevation of Privilege |
| Risk Level | Medium |
| Role Type | Role |
| API Groups | core |
| Resources | serviceaccounts |
| Verbs | create, update, patch, delete |
| Tags | IdentityManagement PotentialPrivilegeEscalation Tampering |
Description
Allows creating, updating, or deleting ServiceAccounts within a specific namespace. This can be used to create SAs within the namespace, which could then be bound to roles for privilege escalation within or from that namespace.
Abuse Scenarios
- Create a new ServiceAccount within the namespace.
kubectl create serviceaccount <new-sa-name> -n <namespace>
# Example: kubectl create serviceaccount dev-backdoor-sa -n development
- Delete an existing ServiceAccount within the namespace.
kubectl delete serviceaccount <serviceaccount-name> -n <namespace>
# Example: kubectl delete serviceaccount my-app-sa -n production