PERMISSION_DISCOVER

Represents the permissions granted to an identity that can be discovered by an attacker.

Source	Destination	MITRE ATT&CK
Identity	PermissionSet	Permission Groups Discovery, T1069

Details

K8s RBAC aggregates sets of API permissions together under Role (namespaced) and ClusterRole (cluster-wide) objects. These are then assigned to specific users via a RoleBinding (namespaced) or ClusterRoleBinding (cluster-wide) objects. This edge represents this relationship granting one or more permissions to an identity, which can be discovered by an attacker.

Prerequisites

None

Checks

A full list of identity → role mappings can be retrieved via:

kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide  

To discover the permissions of the current identity use:

kubectl auth can-i --list

Exploitation

No exploitation is necessary. This edge simply indicates that an identity grants a specific set of permissions (effectively represents a RoleBinding or ClusterRoleBinding in K8s).

Defences

None

Calculation

• PermissionDiscover

References:

• Official Kubernetes Documentation:Using RBAC Authorization
• Kubernetes RBAC Details