Create SelfSubjectRulesReviews (Discover Own Permissions)
Information Disclosure
Low
Overview
| Field | Value |
|---|---|
| ID | 1086 |
| Name | Create SelfSubjectRulesReviews (Discover Own Permissions) |
| Risk Category | Information Disclosure |
| Risk Level | Low |
| Role Type | Role |
| API Groups | authorization.k8s.io |
| Resources | selfsubjectrulesreviews |
| Risky Verb Combinations | [create] |
| Tags | InformationDisclosure RBACQuery Reconnaissance |
Description
Allows creating SelfSubjectRulesReview resources. This enables a user or service account to query the API server for their own permissions within a namespace, which can be used to confirm successful exploitation or to discover their own capabilities for further actions.
Abuse Scenarios
- List all permissions the current user/service account has in a specific namespace.
kubectl auth can-i --list -n <namespace>
# Example: kubectl auth can-i --list -n default