catalog logoThe IAM Privilege Catalog

services / Google Cloud / Kubernetes Engine Namespaces

Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace.

container.​namespaces.​delete

Deleting a namespace also deletes all other Kubernetes resources inside it.

Risks

  1. Data destruction (CRITICAL)
  2. Policy destruction (CRITICAL)
  3. Infrastructure destruction (HIGH)
  4. Network destruction (HIGH)
  5. Logs destruction (EVASION)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​overview/​working-​with-​objects/​namespaces/​

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog