Bind cluster roles to users, groups, or service accounts
Privilege Escalation
Bind roles to users, groups, or service accounts
Privilege Escalation
Create CronJobs
Container Escape
Lateral Movement
Create DaemonSets
Container Escape
Lateral Movement
Create Deployments
Container Escape
Lateral Movement
Create Jobs
Container Escape
Lateral Movement
Create admission webhook configurations that mutate resource requests before they are persisted.
Privilege Escalation
Allows to make CREATE requests to the kubelet API as system:masters
Lateral Movement
Evict a pod from a node
Lateral Movement
Create exec sessions in running pods
Lateral Movement
Denial of Service
Create new pods
Container Escape
Lateral Movement
Create ReplicaSets
Container Escape
Lateral Movement
Create an authentication token for a service account
Privilege Escalation
Create StatefulSets
Container Escape
Lateral Movement
Create admission webhook configurations that validate resource requests before they are persisted.
Denial of Service
Information Disclosure
Persistence
Delete admission webhook configurations that mutate resource requests before they are persisted.
Privilege Escalation
Container Escape
Lateral Movement
Delete a node
Lateral Movement
Delete a pod
Lateral Movement
Delete specific secrets in Kubernetes
Denial of Service
Delete admission webhook configurations that validate resource requests before they are persisted.
Escalate permissions on Kubernetes cluster roles
Privilege Escalation
Escalate permissions on Kubernetes roles
Privilege Escalation
Allows to make GET requests to the kubelet API as system:masters
Information Disclosure
View specific secrets in Kubernetes
Information Disclosure
Impersonate privileged groups like system:masters
Privilege Escalation
Impersonate service accounts in Kubernetes
Privilege Escalation
Impersonate other users in the Kubernetes cluster
Privilege Escalation
List all secrets in Kubernetes namespaces
Information Disclosure
Patch configmaps
Privilege Escalation
Patch existing CronJobs
Container Escape
Lateral Movement
Patch existing DaemonSets
Container Escape
Lateral Movement
Patch existing Deployments
Container Escape
Lateral Movement
Patch existing Jobs
Container Escape
Lateral Movement
Patch admission webhook configurations that mutate resource requests before they are persisted.
Privilege Escalation
Patch the status of nodes
Lateral Movement
Patch nodes
Lateral Movement
Patch ephemeral containers in running pods for debugging and code execution
Container Escape
Lateral Movement
Modify the status of pods
Information Disclosure
Lateral Movement
Modify existing Kubernetes pods
Container Escape
Lateral Movement
Patch existing ReplicaSets
Container Escape
Lateral Movement
Edit specific secrets in Kubernetes
Denial of Service
Patch existing StatefulSets
Container Escape
Lateral Movement
Patch admission webhook configurations that validate resource requests before they are persisted.
Persistence
Information Disclosure
Denial of Service
Update configmaps
Privilege Escalation
Update existing Cronjobs
Container Escape
Lateral Movement
Update existing DaemonSets
Container Escape
Lateral Movement
Update existing Deployments
Container Escape
Lateral Movement
Update existing Jobs
Container Escape
Lateral Movement
Update admission webhook configurations that mutate resource requests before they are persisted.
Privilege Escalation
Update the status of nodes
Lateral Movement
Update nodes
Lateral Movement
Update ephemeral containers in running pods for debugging and code execution
Container Escape
Lateral Movement
Update the status of pods
Information Disclosure
Lateral Movement
Update existing Kubernetes pods
Container Escape
Lateral Movement
Update existing ReplicaSets
Container Escape
Lateral Movement
Edit specific secrets in Kubernetes
Denial of Service
Update existing StatefulSets
Container Escape
Lateral Movement
Update admission webhook configurations that validate resource requests before they are persisted.
Persistence
Information Disclosure
Denial of Service
Monitor changes to secrets
Information Disclosure