CoursesKubernetes attack & defenseRBAC & privilege escalation

RBAC & the powerful grants

secrets, pods create, exec — escalation in disguise.

Advanced35 min · lesson 4 of 15

RBAC is the cluster’s authorization core, and most Kubernetes privilege escalation is really an RBAC misconfiguration. Understanding exactly what verbs and resources grant — and which ones grant far more than they appear to — is the foundation of both attack and defense.

The model and the deceptively-powerful grants

An RBAC rule grants verbs (get, list, watch, create, update, patch, delete) on resources, bound to a subject by a RoleBinding (namespaced) or ClusterRoleBinding (cluster-wide). The trap is that some grants are far more powerful than they look. get/list on Secrets returns every credential in plaintext. create on pods lets a subject mount any service-account token, add a hostPath, or run privileged — a direct path toward the node. The pods/exec subresource runs arbitrary commands in a running pod and reaches its secrets. Reviewing RBAC means recognizing these high-impact grants, not just counting bindings.

audit what a subject can really do
# Enumerate a subject's effective permissions (as an attacker or a reviewer):
kubectl auth can-i --list --as=system:serviceaccount:prod:frontend
# Hunt cluster-wide for the dangerous grants:
kubectl get clusterrolebindings -o json | jq '.items[] |
select(.roleRef.name=="cluster-admin") | .subjects' # who is cluster-admin?
# Also review any Role/ClusterRole granting: secrets get/list, pods create,
# pods/exec, and the escalation verbs (next lesson).

Least privilege in practice

Least-privilege RBAC means scoped roles, a dedicated service account per workload, and no wildcards (resources: "*" or verbs: "*"). Prefer namespaced Roles over ClusterRoles, grant only the specific verbs and resources a workload actually uses, and never reuse the default service account for pods that talk to the API. The payoff is containment: when a pod is compromised, its token opens only the few doors you deliberately granted, not the whole cluster. RBAC hygiene is the single highest-leverage cluster-security control.

RBAC: the grants that matter
deceptively powerful
secrets get/list
every credential, in plaintext
pods create
mount tokens/hostPath, run privileged
pods/exec
run commands in running pods
least privilege
per-workload SA
no shared default SA
scoped Roles, no wildcards
only needed verbs/resources
Some grants are escalation in disguise. Review for those, and default to tightly-scoped, per-workload service accounts.
Wildcards in RBAC are a blank check
A Role granting verbs: ["*"] on resources: ["*"] — or a stray cluster-admin ClusterRoleBinding — hands a subject the entire cluster. Never use wildcards in workload RBAC, audit who holds cluster-admin, and replace broad grants with roles scoped to the exact resources and verbs needed.