catalog logoThe IAM Privilege Catalog

services / Google Cloud / Kubernetes Engine Namespaces

Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace.

container.​namespaces.​finalize

Allows updating the list of finalizers. Finalizers check if a certain condition is met before deleting a namespace. They may either implement garbage-collection, and are responsible for cleaning up all resources inside a namespace when that namespace is deleted. Or, they may implement a protective measure and prevent the deletion of a namespace, for instance the `kubernetes.io/pvc-protection` finalizer prevents accidental deletion of data. As such, the edit and removal of finalizers may remove protection measures.

Risks

  1. Defense destruction (EVASION)

Scope: LOW

This privilege allows access to data that are not meant to be public, but are otherwise not sensitive.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​overview/​working-​with-​objects/​namespaces/​
  • https:​/​/​kubernetes.​io/​docs/​concepts/​overview/​working-​with-​objects/​finalizers/​

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog