Authorization Bypass Due to Impersonate Permissions on ServiceAccounts or Nodes in Kubernetes

Critical Risk Infrastructure Security
kubernetesrbacimpersonationprivilege-escalationauthorization

What it is

Authorization bypass could let attackers escalate privileges by acting as other users, including admins, enabling unauthorized cluster operations and access to sensitive resources.

Why it happens

Granting impersonate verb on users, groups, or serviceaccounts resources without understanding privilege escalation risks.

Root causes

Overly Broad RBAC Permissions

Granting impersonate verb on users, groups, or serviceaccounts resources without understanding privilege escalation risks.

Development Convenience

Allowing impersonation for debugging or testing purposes and forgetting to remove it from production RBAC.

Legacy Role Bindings

Inherited ClusterRoles or Roles from older deployments that included unnecessary impersonation permissions.

Fixes

1

Remove Impersonate Permissions

Audit all ClusterRoles and Roles to remove the 'impersonate' verb from resources like users, groups, and serviceaccounts.

2

Use Scoped Permissions

If impersonation is required, restrict it to specific resource names rather than allowing all users or serviceaccounts.

3

Implement Admission Controls

Use admission controllers or policy engines like OPA/Kyverno to block creation of roles with dangerous permissions.

Detect This Vulnerability in Your Code

Sourcery automatically identifies authorization bypass due to impersonate permissions on serviceaccounts or nodes in kubernetes and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities