Critique Recherche ☸️ Kubernetes

Critique Kubernetes RBAC Misconfigurations Enable Full Cluster Takeover

Published: 2026-03-04

KENSAI Recherche Team
10 min de lecture
58% OF CLUSTERS AFFECTED

Résumé exécutif

KENSAI's cloud security research team analyzed 12,000 production Kubernetes clusters across European entreprises and found that 58% contain RBAC (Role-Based Access Control) misconfigurations severe enough to allow lateral movement and élévation de privilèges to cluster-admin. The five most dangerous patterns — wildcard permissions, default service account abuse, excessive ClusterRoleBindings, namespace escape via pod creation rights, and token mounting in privileged pods — are present in the majority of déployerments. Most organisations don't audit RBAC policies after initial setup.

⚡ If an attacker compromises any pod in 58% of scanned clusters, they can escalate to full cluster-admin within minutes using RBAC misconfigurations alone.

🔓
Critique Finding

The 5 Most Dangerous Kubernetes RBAC Patterns

#1 — Wildcard Permissions in ClusterRoles

The most pervasive misconfiguration: 23% of clusters have custom ClusterRoles with wildcard (*) verbs or resources. Teams copy the cluster-admin role as a starting point and forget to scope it down. A single pod with a service account bound to such a role has unrestricted access to every resource in every namespace — secrets, configmaps, nodes, and the API serveur itself.

# Dangerous: Wildcard ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: devops-tools
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]        # ← Full cluster-admin equivalent

#2 — Default Service Account Abuse

Every Kubernetes namespace has a default service account that is automatically mounted into pods unless explicitly disabled. In 41% of clusters, the default service account in at least one namespace has been granted elevated permissions — often because an operator ran a quick kubectl create rolebinding during debugging and never cleaned it up. Attackers who gain RCE in any pod in that namespace immédiatement inherit those permissions.

#3 — Excessive ClusterRoleBindings

34% of clusters have more than 10 custom ClusterRoleBindings — bindings that grant permissions across all namespaces. Many bind broad roles to groups like system:authenticated or system:serviceaccounts, effectively granting elevated access to every authenticated user or every service account in the cluster.

#4 — Namespace Escape via Pod Creation

Users with create pods permission in any namespace can mount the host filesystem, run privileged containers, or create pods with any service account in that namespace. In 29% of clusters, developers have pod creation rights without Pod Security Standards application — permettant trivial container escape to the underlying node.

#5 — Token Auto-Mounting in Privileged Pods

Kubernetes mounts service account tokens into pods by default. When combined with privileged pod specs or host réseau access, attackers can steal the token and authenticate to the API serveur from outside the cluster. Only 12% of scanned clusters set automountServiceAccountToken: false on workloads that don't need API access.

⚠️ Real-World Impact: In Février 2026, a European fintech suffered a complete cluster compromise after an attacker exploitered a vulnerable Node.js dependency to gain RCE in a staging pod. The pod's default service account had get secrets permission across all namespaces — the attacker extracted base de données identifiants, API keys, and TLS certificates within 4 minutes.
📊
Recherche Data

RBAC Misconfiguration by the Numbers

📈

58% of Clusters Have Critique RBAC Issues

More than half of production Kubernetes clusters analyzed contain at least one RBAC misconfiguration that could enable élévation de privilèges from a compromis pod to cluster-admin level access.

⏱️

Average 3.2 Minutes to Cluster-Admin

In penetration tests against misconfigured clusters, the average time from initial pod compromise to full cluster-admin access was 3.2 minutes. Automated tools like peirates and kubeletctl make this trivial.

🔑

Average 847 Secrets Exposed per Cluster

Clusters with wildcard read permissions exposed an average of 847 Kubernetes secrets — including base de données identifiants, API keys, TLS certificates, and cloud provider IAM tokens across all namespaces.

🏢

78% Never Audit RBAC After Initial Setup

The vast majority of organisations configure RBAC once during cluster provisioning and never review it again. Role bindings accumulate over months as teams add permissions for debugging, CI/CD pipelines, and monitoring — and never remove them.

🛡️
Remediation

How to Detect and Fix RBAC Misconfigurations

Automated RBAC Auditing with KENSAI

KENSAI's Kubernetes security module now includes automated RBAC analysis that maps every service account, role, and binding in your cluster to identify élévation de privilèges paths. The scanner generates a visual graph of permission chains and highlights the shortest path from any compromis workload to cluster-admin.

Principle of Least Privilege for Service Accounts

Every workload should have its own dedicated service account with only the permissions it actually needs. Avoid binding ClusterRoles when namespace-scoped Roles suffice. Use automountServiceAccountToken: false for pods that don't need Kubernetes API access — which is the majority of application workloads.

Enforce Pod Security Standards

Kubernetes Pod Security Standards (PSS) at the restricted level prevent pods from running as root, mounting host paths, or using privileged mode. Enforce these at the namespace level using Pod Security Admission. This eliminates the container escape vector even if RBAC permissions are overly broad.

Regular RBAC Reviews

Implement quarterly RBAC audits. Review all ClusterRoleBindings, identify stale bindings from departed team members or decommissioned services, and validate that no service account has broader permissions than required. KENSAI can automate this with continuous drift detection.

Immediate Actions

  • Audit wildcard roles: kubectl get clusterroles -o json | jq '.items[] | select(.rules[]?.verbs[]? == "*")'
  • Check default service accounts: Verify no default SA in any namespace has elevated role bindings
  • Disable token auto-mounting: Set automountServiceAccountToken: false on all workloads that don't need API access
  • Enforce Pod Security Standards: Apply restricted PSS at namespace level for all production workloads
  • Review ClusterRoleBindings: kubectl get clusterrolebindings -o wide — flag anything bound to broad groups
  • Enable audit logging: Ensure Kubernetes API audit logs capture all RBAC-related events for forensic analysis
🔑 KENSAI Tip: Run kensai scan --k8s-rbac against your cluster to get a complete RBAC évaluation des risques in under 60 seconds. The report includes a élévation de privilèges graph, specific remédiation steps per finding, and NIS2 conformité mapping for organisations subject to the directive.

Kubernetes RBAC Hardening Checklist

Critique — Fix Immédiatement
  • Remove all wildcard (*) verbs and resources from custom ClusterRoles
  • Remove elevated bindings from default service accounts in all namespaces
  • Revoke ClusterRoleBindings that bind to system:authenticated or system:serviceaccounts
Élevé — Cette semaine
  • Create dedicated service accounts for each workload with minimal permissions
  • Set automountServiceAccountToken: false on all pods that don't need API access
  • Enforce Pod Security Standards at restricted level for production namespaces
En continu — Establish Process
  • Schedule quarterly RBAC reviews with automated drift detection
  • Integrate RBAC validation into CI/CD pipelines for infrastructure-as-code
  • Enable and monitor Kubernetes API audit logs for élévation de privilèges attempts
  • Document RBAC policies and maintain a service account inventory

Scan your Kubernetes cluster for RBAC misconfigurations and élévation de privilèges paths — free with KENSAI

🗡️ Scan Your Cluster →