Kubernetes RBAC Misconfiguration
Cloud SecurityDefinition
Overly permissive or incorrectly configured Role-Based Access Control policies in Kubernetes that grant unauthorized access to cluster resources, secrets, API servers, or enable privilege escalation to cluster-admin.
Technical Details
Common K8s RBAC misconfigurations include: overly broad wildcard verbs/resources, cluster-admin bindings for service accounts, default service account token auto-mounting, permissive pod security contexts allowing privilege escalation, and use of system:masters group. Attackers who obtain a pod's service account token with excessive permissions can enumerate, modify, or exfiltrate cluster resources.
Practical Usage
Security teams should regularly audit RBAC policies using tools like kube-bench, Polaris, or rbac-police. Service accounts should follow the least-privilege principle, with `automountServiceAccountToken: false` set for pods that don't require API access. Cluster-admin role bindings should require explicit justification and regular review.
Examples
- A compromised pod with a service account bound to cluster-admin reads all secrets and pivots to exfiltrate database credentials.
- Default service account tokens in a pod allow an attacker to enumerate all deployments in the cluster after container escape.
- An RBAC audit reveals a CI/CD service account with wildcard permissions on all resources in all namespaces.