With a user impersonation privilege an attacker can impersonate a more privileged account.
|Valid Accounts, T1078
impersonate users/groups permission will allow an attacker to execute K8s API actions on behalf of another user, including those with
cluster-admin rights, and other highly privileged users.
Ability to interrogate the K8s API with a role allowing impersonate access to users and/or groups.
See the example pod spec.
Simply ask kubectl:
Execute any action in the K8s API impersonating a privileged group (e.g
system:masters) or user using the syntax:
- Monitoring the follow-on activity from user impersonation may be a more fruitful endeavour.
Implement least privilege access
Impersonating users is a very powerful privilege and should not be required by the majority of users. Use an automated tool such a KubeHound to search for any risky permissions and users in the cluster and look to eliminate them.