Understanding High‑Risk Kubernetes RBAC Permissions and a Graph‑Based Risk Identification System
This article examines how misconfigured Kubernetes RBAC permissions can lead to privilege escalation across clusters, presents a graph‑based model to represent users, roles, and authorities, and provides code examples and Cypher queries for detecting and visualizing high‑risk permission paths.
Kubernetes has become essential in production, bringing security concerns especially around RBAC permission configurations that can lead to privilege escalation.
Risk analysis shows that unlike isolated virtual machines, a compromised node can affect multiple services due to shared resources and misconfigured roles created via direct API calls, dashboards, or other components.
The article enumerates common high‑risk RBAC patterns such as overly permissive role creation, temporary high‑privilege troubleshooting, and missing revocation, and demonstrates how existing container security tools often only list API data without visualizing risks.
To visualize risks, a graph‑based model is proposed where vertices represent Users, Groups, Roles, Authorities, Nodes, Namespaces, etc., and edges describe relationships like ActTo, MemberOf, HoldAuthority, BindTo, and others that capture permission flows.
Examples of high‑risk permissions are shown with corresponding YAML snippets:
apiVersion: v1
kind: ServiceAccount
metadata:
name: create-pod-account
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: create-pod-clusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: create-pod-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: create-pod-account
namespace: default
roleRef:
kind: ClusterRole
name: create-pod-clusterrole
apiGroup: rbac.authorization.k8s.iokind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: impersonator
rules:
- apiGroups: [""]
resources: ["users"]
verbs: ["impersonate"]
resourceNames: ["app-fe-user"]kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-escalate
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles"]
verbs: ["create", "escalate"]kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csr-approver
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["create", "get"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
verbs: ["approve"]apiVersion: v1
kind: Pod
metadata:
name: mount-etc
namespace: default
spec:
containers:
- name: nginx
imagePullPolicy: Always
image: nginx
volumeMounts:
- mountPath: /data
name: etc-mount
volumes:
- name: etc-mount
hostPath:
path: /etcSample Cypher queries illustrate how to find the shortest privilege‑escalation path, role‑to‑user mappings, and roles containing escalation‑capable permissions.
The system can feed identified risky permissions into SOAR platforms for alerting and help security operations monitor high‑privilege account activity and improve container cluster governance.
Beike Product & Technology
As Beike's official product and technology account, we are committed to building a platform for sharing Beike's product and technology insights, targeting internet/O2O developers and product professionals. We share high-quality original articles, tech salon events, and recruitment information weekly. Welcome to follow us.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.