Kubernetes RBAC Misconfiguration
What is Kubernetes RBAC Misconfiguration?
Kubernetes RBAC MisconfigurationOver-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover.
Kubernetes RBAC misconfiguration is consistently in the top three findings of every cluster audit. The common patterns are: binding workloads to cluster-admin or to ClusterRoles with verbs `*` on resources `*`; granting `get`, `list`, or `watch` on `secrets` cluster-wide (which lets a pod read every secret in the cluster); allowing `pods/exec` (which lets the holder shell into any pod, including the API server's static pods on misconfigured clusters); allowing `impersonate` on users, groups, or serviceaccounts (which is full account takeover); and binding the default service account in `kube-system` to admin. The blast radius pattern is consistent: a compromised front-door container with one of these bindings allows an attacker to dump all Secrets (including service-account tokens), exec into other pods, modify webhooks, or impersonate the admin group. Mitigations include automated linting (kubescape, kube-bench, Polaris, Datree), admission policies (Kyverno, OPA Gatekeeper) that reject overpermissive bindings, periodic generation of a least-privilege Role from runtime audit logs (rakkess, audit2rbac), and rolling out Pod Identity / Workload Identity rather than cluster-wide tokens.
● Examples
- 01
A monitoring sidecar is bound to a ClusterRole granting `get` on `secrets` cluster-wide; a compromise of the sidecar lets the attacker dump every Secret in every namespace.
- 02
An admission policy rejects any RoleBinding that references the `cluster-admin` ClusterRole outside of the `kube-system` namespace.
● Frequently asked questions
What is Kubernetes RBAC Misconfiguration?
Over-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover. It belongs to the Cloud Security category of cybersecurity.
What does Kubernetes RBAC Misconfiguration mean?
Over-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover.
How does Kubernetes RBAC Misconfiguration work?
Kubernetes RBAC misconfiguration is consistently in the top three findings of every cluster audit. The common patterns are: binding workloads to cluster-admin or to ClusterRoles with verbs `*` on resources `*`; granting `get`, `list`, or `watch` on `secrets` cluster-wide (which lets a pod read every secret in the cluster); allowing `pods/exec` (which lets the holder shell into any pod, including the API server's static pods on misconfigured clusters); allowing `impersonate` on users, groups, or serviceaccounts (which is full account takeover); and binding the default service account in `kube-system` to admin. The blast radius pattern is consistent: a compromised front-door container with one of these bindings allows an attacker to dump all Secrets (including service-account tokens), exec into other pods, modify webhooks, or impersonate the admin group. Mitigations include automated linting (kubescape, kube-bench, Polaris, Datree), admission policies (Kyverno, OPA Gatekeeper) that reject overpermissive bindings, periodic generation of a least-privilege Role from runtime audit logs (rakkess, audit2rbac), and rolling out Pod Identity / Workload Identity rather than cluster-wide tokens.
How do you defend against Kubernetes RBAC Misconfiguration?
Defences for Kubernetes RBAC Misconfiguration typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Kubernetes RBAC Misconfiguration?
Common alternative names include: K8s RBAC misuse, Overprivileged ServiceAccount.
● Related terms
- cloud-security№ 671
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- cloud-security№ 668
Kubernetes Cluster Attack
An intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
- identity-access№ 955
Principle of Least Privilege
A security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.
- cloud-security№ 1124
Service Account Token
A JWT credential mounted into a Kubernetes pod that authenticates the workload to the API server and to other services trusting the cluster's identity provider.
- cloud-security№ 849
OPA Gatekeeper
OPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
- cloud-security№ 673
Kyverno
Kyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.