K-RBAC-AUDITDiscovery

K8s RBAC Audit (rakkess / kubectl-who-can)

Enumerate every binding to find can-i secrets, can-i pods/exec, can-i pods/create — finds escalation vectors.

§ Where this technique fits

K-RBAC-AUDIT is catalogued under the Discovery tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Privileged pod escape → cluster admin
GenericWrite on a Deployment in the kube-system namespace lets you launch a privileged pod; the pod mounts the host filesystem and steals the kubeconfig of cluster-admin.
step 2 / 7

§ What commonly comes next

01
Privileged Container Escape
K-PRIV-CONTAINER · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Privileged pod escape → cluster admin

§ What commonly comes next