PERMISSION_DISCOVER

Represents the permissions granted to an identity that can be discovered by an attacker.

Source	Destination	MITRE
Identity	PermissionSet	Permission Groups Discovery, T1069

Details

K8s RBAC aggregates sets of API permissions together under Role (namespaced) and ClusterRole (cluster-wide) objects. These are then assigned to specific users via a RoleBinding (namespaced) or ClusterRoleBinding (cluster-wide) objects. This edge represents this relationship granting one or more permissions to an identity, which can be discovered by an attacker.

Prerequisites

None

Checks

A full list of identity → role mappings can be retrieved via:

kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide  

To discover the permissions of the current identity use:

kubectl auth can-i --list

Exploitation

No exploitation is necessary. This edge simply indicates that an identity grants a specific set of permissions (effectively represents a RoleBinding or ClusterRoleBinding in K8s).

Defences

None

Calculation

• PermissionDiscover

References:

• Official Kubernetes Documentation:Using RBAC Authorization
• Kubernetes RBAC Details