RBAC Roles with Impersonate Permission
- Query id: 9f85c3f6-26fd-4007-938a-2e0cb0100980
- Query name: RBAC Roles with Impersonate Permission
- Platform: Kubernetes
- Severity: Medium
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: impersonator-role
namespace: default
rules:
- apiGroups: [""]
resources: ["users", "groups", "serviceaccounts"]
verbs: ["impersonate"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rbac-impersonate-binding
subjects:
- kind: ServiceAccount
name: impersonator-sa
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: impersonator-role
apiGroup: ""
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: impersonator-role-neg
namespace: default
rules:
- apiGroups: [""]
resources: ["users", "groups", "serviceaccounts"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rbac-impersonate-binding
subjects:
- kind: ServiceAccount
name: impersonator-sa-neg
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: impersonator-role-neg
apiGroup: ""