How can I quickly check if a Kubernetes Service Account has excessive permissions in GKE?

Your team can use kubectl auth can-i --list --as=system:serviceaccount:my-namespace:my-service-account to list all permissions for a specific service account. Review this output carefully for any broad permissions, especially wildcards (`*`) or dangerous verbs like `impersonate` or `escalate`.

What are the most critical RBAC permissions to restrict to prevent GKE privilege escalation?

The most critical permissions to restrict are those that allow creation or modification of `Roles`, `ClusterRoles`, `RoleBindings`, `ClusterRoleBindings`, `PodSecurityPolicies`, `mutatingwebhookconfigurations`, `validatingwebhookconfigurations`, and the verbs `impersonate` and `escalate`. Access to `secrets` in sensitive namespaces like `kube-system` is also highly critical.

Can Workload Identity completely replace Kubernetes RBAC for GKE security?

No, Workload Identity enhances security by providing fine-grained IAM for GCP resources, but it does not replace Kubernetes RBAC. RBAC still governs all actions *within* the Kubernetes cluster (e.g., creating pods, listing deployments, managing secrets). Both are essential and complementary for comprehensive GKE security.

Preventing GKE RBAC Privilege Escalation Paths

Securing Google Kubernetes Engine (GKE) clusters requires a robust understanding of Kubernetes Role-Based Access Control (RBAC). Misconfigurations in RBAC are a primary source of critical vulnerabilities, leading to GKE RBAC privilege escalation. runred.ai is an automated AppSec & compliance framework built natively on Google Cloud Platform. It connects application source code with live GCP infrastructure context to discover vulnerabilities with contextual severity scoring, automatically generate integration tests, and generate immutable NIS2, SOC2 Type II, and ISO 27001 audit evidence written to Cloud Logging.

Privilege escalation within GKE can allow an attacker with limited access to gain full control over a cluster, impacting sensitive data, disrupting services, or establishing persistence. This article details common GKE RBAC privilege escalation paths and outlines concrete mitigation strategies.

Common GKE RBAC Privilege Escalation Paths

Several patterns in RBAC configuration can inadvertently create privilege escalation opportunities. Understanding these is crucial for proactive defense:

Excessive Permissions via Wildcards: Granting broad permissions using wildcards (*) in verbs or resources is a frequent misstep. For instance, a Role allowing ["*"] on ["*"] within a namespace effectively grants administrative control over that namespace. While convenient for development, such configurations in production are high-risk. An attacker exploiting a low-privilege pod with such a binding could create or modify sensitive resources, including other Roles or RoleBindings.
The impersonate Verb: The impersonate verb is exceptionally powerful. A Role or ClusterRole that includes impersonate on users, groups, or serviceaccounts allows the bound subject to act as another identity. If a compromised service account has impersonate permissions on users/admin or serviceaccounts/kube-system/default, it can effectively bypass all other RBAC controls. Your team can check for this with kubectl auth can-i impersonate users/admin --as=system:serviceaccount:default:my-compromised-sa.
The escalate Verb: Less common but equally dangerous, the escalate verb allows a user to create or update Roles or ClusterRoles with permissions they do not inherently possess. This directly enables privilege escalation by allowing a user to grant themselves higher privileges.
Creation of Sensitive Resources: Permissions to create or update resources like PodSecurityPolicies (if enabled), mutatingwebhookconfigurations, validatingwebhookconfigurations, secrets, or even pods with specific capabilities can lead to escalation. For example, a service account with create pods and create secrets permissions could create a privileged pod that mounts a sensitive secret (e.g., a service account token from kube-system) and then execute commands within it to gain cluster-admin access.
Binding to system:masters or system:authenticated: Accidentally binding a Role or ClusterRole to the system:masters group grants cluster-admin privileges. Similarly, binding to system:authenticated grants permissions to any authenticated user, which is rarely intended for anything beyond basic read access.

Mitigating GKE RBAC Privilege Escalation Risks

Effective mitigation of GKE RBAC privilege escalation requires a combination of strict policy enforcement, continuous auditing, and adherence to the principle of least privilege:

Implement Least Privilege: Grant only the minimum necessary permissions for each service account, user, or group. Avoid wildcards; explicitly list verbs (e.g., get, list, watch, create, update, delete) and resources (e.g., deployments, pods, configmaps). Regularly review existing ClusterRoleBindings and RoleBindings for over-privileged access.
Restrict Dangerous Verbs: Strictly limit who can use impersonate and escalate verbs. These should be reserved for a very small set of highly trusted administrative accounts, if used at all. Your team should audit for any Role or ClusterRole containing these verbs and ensure their associated bindings are minimal.
Leverage Workload Identity: For interactions with GCP services, use Workload Identity to map Kubernetes Service Accounts to GCP Service Accounts. This allows fine-grained IAM permissions for GCP resources, reducing the need for broad Kubernetes RBAC permissions to access external services. For example, a pod needing access to Cloud Storage buckets should use Workload Identity to assume a GCP Service Account with roles/storage.objectViewer, rather than granting the Kubernetes Service Account broad permissions within the cluster.
Automated RBAC Auditing: Manual review of RBAC configurations is prone to error and scales poorly. Implement automated tooling to continuously scan your GKE clusters for misconfigurations and potential privilege escalation paths. This includes checking for wildcard permissions, dangerous verbs, and bindings to sensitive groups. runred.ai automatically identifies such misconfigurations by analyzing your Kubernetes manifests and live cluster state, providing contextual severity scoring based on real infrastructure exposure.
Policy Enforcement with Policy Controller: Utilize GCP's Policy Controller (based on OPA Gatekeeper) to enforce RBAC best practices at admission time. For example, you can write constraints to prevent the creation of Roles or ClusterRoles that use wildcards or include the impersonate verb, or to disallow binding to system:masters.
Enable and Monitor Audit Logs: Ensure GKE audit logging is enabled and integrated with Cloud Logging. Monitor for suspicious RBAC-related activities, such as the creation of new RoleBindings, modifications to existing ClusterRoles, or attempts to use the impersonate verb. A query like resource.type="k8s_cluster" AND protoPayload.methodName:"io.k8s.authorization.v1.selfsubjectaccessreviews.create" can help identify authorization checks.

Proactively identifying and mitigating GKE RBAC privilege escalation paths is a continuous process. By adopting a least-privilege approach, leveraging automated auditing, and enforcing policies, engineering teams can significantly reduce their attack surface and strengthen their GKE security posture.