kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

RBAC doc describes escalation of privilege via pod creation. (#5551) 

* Added docs about privilege escalation via pod creation.

* Fix docs style.

* Update index.md

* Update index.md

* Removed line about k8s policing policy

* Update index.md
This commit is contained in:
Spike Curtis 2017-09-21 15:08:06 -07:00 committed by Zach Corleissen
parent 88b4eeca2b
commit 192e9cd4cd
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/admin/authorization/index.md
View File

@ -136,3 +136,10 @@ As of version 1.3, clusters created by kube-up.sh are configured so that the A
{% endcapture %}
{% include templates/concept.md %}
## Privilege escalation via pod creation
Users who have ability to create pods in a namespace can potentially escalate their privileges within that namespace. They can create pods that access secrets the user cannot themselves read, or that run under a service account with different/greater permissions.
**Caution:** System administrators, use care when granting access to pod creation. A user granted permission to create pods (or controllers that create pods) in the namespace can: read all secrets in the namespace; read all config maps in the namespace; and impersonate any service account in the namespace and take any action the account could take. This applies regardless of authorization mode.
{: .caution}