Kubernetes RBAC Misconfiguration
Qu'est-ce que Kubernetes RBAC Misconfiguration ?
Kubernetes RBAC MisconfigurationOver-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover.
Kubernetes RBAC misconfiguration is consistently in the top three findings of every cluster audit. The common patterns are: binding workloads to cluster-admin or to ClusterRoles with verbs `*` on resources `*`; granting `get`, `list`, or `watch` on `secrets` cluster-wide (which lets a pod read every secret in the cluster); allowing `pods/exec` (which lets the holder shell into any pod, including the API server's static pods on misconfigured clusters); allowing `impersonate` on users, groups, or serviceaccounts (which is full account takeover); and binding the default service account in `kube-system` to admin. The blast radius pattern is consistent: a compromised front-door container with one of these bindings allows an attacker to dump all Secrets (including service-account tokens), exec into other pods, modify webhooks, or impersonate the admin group. Mitigations include automated linting (kubescape, kube-bench, Polaris, Datree), admission policies (Kyverno, OPA Gatekeeper) that reject overpermissive bindings, periodic generation of a least-privilege Role from runtime audit logs (rakkess, audit2rbac), and rolling out Pod Identity / Workload Identity rather than cluster-wide tokens.
● Exemples
- 01
A monitoring sidecar is bound to a ClusterRole granting `get` on `secrets` cluster-wide; a compromise of the sidecar lets the attacker dump every Secret in every namespace.
- 02
An admission policy rejects any RoleBinding that references the `cluster-admin` ClusterRole outside of the `kube-system` namespace.
● Questions fréquentes
Qu'est-ce que Kubernetes RBAC Misconfiguration ?
Over-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover. Cette notion relève de la catégorie Sécurité du cloud en cybersécurité.
Que signifie Kubernetes RBAC Misconfiguration ?
Over-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover.
Comment fonctionne Kubernetes RBAC Misconfiguration ?
Kubernetes RBAC misconfiguration is consistently in the top three findings of every cluster audit. The common patterns are: binding workloads to cluster-admin or to ClusterRoles with verbs `*` on resources `*`; granting `get`, `list`, or `watch` on `secrets` cluster-wide (which lets a pod read every secret in the cluster); allowing `pods/exec` (which lets the holder shell into any pod, including the API server's static pods on misconfigured clusters); allowing `impersonate` on users, groups, or serviceaccounts (which is full account takeover); and binding the default service account in `kube-system` to admin. The blast radius pattern is consistent: a compromised front-door container with one of these bindings allows an attacker to dump all Secrets (including service-account tokens), exec into other pods, modify webhooks, or impersonate the admin group. Mitigations include automated linting (kubescape, kube-bench, Polaris, Datree), admission policies (Kyverno, OPA Gatekeeper) that reject overpermissive bindings, periodic generation of a least-privilege Role from runtime audit logs (rakkess, audit2rbac), and rolling out Pod Identity / Workload Identity rather than cluster-wide tokens.
Comment se défendre contre Kubernetes RBAC Misconfiguration ?
Les défenses contre Kubernetes RBAC Misconfiguration combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de Kubernetes RBAC Misconfiguration ?
Noms alternatifs courants : K8s RBAC misuse, Overprivileged ServiceAccount.
● Termes liés
- cloud-security№ 671
Sécurité de Kubernetes
Protection d'un cluster Kubernetes — son API server, son plan de contrôle, ses nœuds, ses workloads et son réseau — contre les mauvaises configurations, les compromissions et le mouvement latéral.
- cloud-security№ 668
Attaque de cluster Kubernetes
Intrusion sur un cluster Kubernetes (K8s) exploitant des APIs exposees, un RBAC faible ou des charges vulnerables pour prendre le controle du plan de controle ou des noeuds.
- identity-access№ 955
Principe du moindre privilège
Principe de sécurité accordant à chaque utilisateur, processus ou service uniquement les privilèges strictement nécessaires à sa fonction, et rien de plus.
- cloud-security№ 1124
Token de ServiceAccount (Kubernetes)
Credential JWT monte dans un pod Kubernetes qui authentifie le workload aupres de l'API server et de tout service faisant confiance au fournisseur d'identite du cluster.
- cloud-security№ 849
OPA Gatekeeper
OPA Gatekeeper est un controleur de politiques CNCF qui utilise Open Policy Agent et le langage Rego pour appliquer des politiques d'admission et d'audit dans Kubernetes.
- cloud-security№ 673
Kyverno
Kyverno est un moteur de politiques Kubernetes CNCF qui valide, mute et genere des ressources via des politiques ecrites en YAML natif plutot que dans un nouveau DSL.