Kubernetes: Configure privilege escalation using the escalate and bind verbs

kubernetes escalate bind Role ClusterRole

2 min read | by Jordi Prats

The RBAC API prevents privilege escalation at the API level when creating or updating ClusterRole, ClusterRoleBinding, Role and RoleBinding. However, we can configure it to allow privilege escalation using the escalate and bind verbs.

There are two different paths we can take for privilege escalation, for each we'll have a different verb that it will allow us to configure it:

  • Patch an existing Role that we already have to add additional privileges.
  • Bind an additional Role to our user or ServiceAccount to gain privileges.

Role or ClusterRole

The RBAC API will only allow the creation or update of a Role (or ClusterRole) if the calling user already have the permissions it is trying to set, or if we explicitly grant the escalate verb to the calling user:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: privilege-escalation
rules:
- apiGroups:
  - "rbac.authorization.k8s.io"
  resources:
  - clusterroles
  - roles
  verbs:
  - escalate

RoleBinding or ClusterRoleBinding

RoleBinding and ClusterRoleBinding work in a similar way: The RBAC API will only allow the creation or update of a Role (or ClusterRole) if the calling user already have the permissions contained in the referenced role, or if we explicitly grant the bind verb to the calling user:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: privilege-escalation
rules:
- apiGroups:
  - "rbac.authorization.k8s.io"
  resources:
  - clusterroles
  - roles
  verbs:
  - bind

Allow privilege escalation for Role and ClusterRole

To sum it up, to be able to allow a RBAC user to be able to create Roles for other users with permissions we don't want (or need) to grant to the calling user, we can use the escalate and bind verbs to allow it using a ClusterRole or a Role depending on the scope we want to allow:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: privilege-escalation
rules:
- apiGroups:
  - "rbac.authorization.k8s.io"
  resources:
  - clusterroles
  - roles
  verbs:
  - escalate
  - bind

Posted on 15/11/2022

Categories