catalog logoThe IAM Privilege Catalog

services / Google Cloud / ClusterRoles

A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster.

ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.

container.​clusterRoles.​escalate

Allows escalating the current or other users' permissions by creating a new ClusterRole or updating an existing ClusterRole. Also requires the `clusterRoles.create` or `clusterRoles.update` permission.

Risks

  1. Privilege escalation (CRITICAL)
  2. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​reference/​access-​authn-​authz/​rbac/​#​restrictions-​on-​role-​creation-​or-​update

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog