catalog logoThe IAM Privilege Catalog

services / Google Cloud / Kubernetes Engine Roles

A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace.

Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.

container.​roles.​bind

Allows escalating the current or other users' permissions by binding a Role to them. Also requires the `container.roleBindings.create` or `container.roleBindings.update` permission.

Risks

  1. Privilege escalation (CRITICAL)
  2. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​reference/​access-​authn-​authz/​rbac/​#​restrictions-​on-​role-​binding-​creation-​or-​update

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog