Controller of pods with the ability to bind roles to a k8s entity (users, groups or service accounts)

Lateral movement

Controller of pods with the ability to bind roles to a k8s entity (users, groups or service accounts)

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

Brazilian General Data Protection (LGPD)
CCPA
CPRA
Data Security Posture Management (DSPM) Best Practices
essential_8_au
GDPR
ISO/IEC 27001
K8s OWASP Top 10
Mitre ATT&CK
New Zealand Information Security Manual
NIST 800-171
NIST 800-190
NIST 800-53
PDPA
UK Cyber Essentials

Description

Controllers are responsible for pods state using a declaration of pod definition. Pods utilize a service account associated with them to communicate with the Kubernetes API, and that service account is mounted by default to any newly created containers. Orca has detected that the Controller {K8sController} creates pods that can bind a role to a pod's service account. An attacker with access to the pod's container can extract the service account token and impersonate to it in order to elevate their privileges in {K8sController.PodSpec.K8sCluster} cluster by binding a privileged role to the service account they're using.

Recommended Mitigation

Consider changing {K8sController}'s role according to the least privilege principle

Controller of pods with the ability to bind roles to a k8s entity (users, groups or service accounts)

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS