Security Research2021
Leveraging Kubernetes RBAC to Backdoor Clusters
By Assaf Morag
Research reveals how attackers exploit Kubernetes RBAC (Role-Based Access Control) misconfigurations to establish persistent backdoors and maintain unauthorized access to clusters. RBAC misconfigurations are among the most common security issues in Kubernetes deployments.
By exploiting overly permissive roles or creating new service accounts with elevated privileges, attackers can maintain persistent access to Kubernetes clusters even after initial compromise vectors are closed.
Common RBAC Misconfigurations
- Overly permissive ClusterRoles and Roles
- Service accounts with excessive privileges
- Missing namespace restrictions
- Weak authentication and authorization controls
Attack Techniques
Attackers leverage RBAC misconfigurations to create service accounts with cluster-admin privileges, modify existing roles to grant additional permissions, or establish persistent access through legitimate service accounts with excessive privileges.