IDENTITY_IMPERSONATE

With a user impersonation privilege an attacker can impersonate a more privileged account.

Source	Destination	MITRE
PermissionSet	Identity	Valid Accounts, T1078

Details

Obtaining the impersonate users/groups permission will allow an attacker to execute K8s API actions on behalf of another user, including those with cluster-admin rights, and other highly privileged users.

Prerequisites

Ability to interrogate the K8s API with a role allowing impersonate access to users and/or groups.

See the example pod spec.

Checks

Simply ask kubectl:

kubectl auth can-i impersonate users
kubectl auth can-i impersonate groups

Exploitation

Execute any action in the K8s API impersonating a privileged group (e.g system:masters) or user using the syntax:

$ kubectl <verb> <noun> –as=null –as-group=system:masters -o json | jq

Defences

Monitoring

• Monitoring the follow-on activity from user impersonation may be a more fruitful endeavour.

Implement least privilege access

Impersonating users is a very powerful privilege and should not be required by the majority of users. Use an automated tool such a KubeHound to search for any risky permissions and users in the cluster and look to eliminate them.

Calculation

• IdentityImpersonate
• IdentityImpersonateNamespace

References:

• Official Kubernetes Documentation: Authenticating
• Securing Kubernetes Clusters by Eliminating Risky Permissions