Kubernetes RBAC Tiering
Each permission is classified by the security boundary it can break. T0 means cluster takeover. T3 means limited read-only access. Understand what you are granting before you grant it.
T0Cluster Control PlaneCan own the cluster
20T1Node EscapeCan break out of the container to the node
44T2Namespace / WorkloadSignificant blast radius, cluster-contained
17T3Low RiskRead-only or non-sensitive writes
1858
T0/T1 permissions
47
escalation paths
65
permissions with paths
Tier System
T0Near cluster-admin. Granting this is equivalent to a full cluster compromise — there is no meaningful security boundary remaining. Treat T0 as root.
T1High risk with realistic escalation paths. An attacker with T1 access can reach cluster-admin under conditions that commonly exist in real clusters.
T2Moderate risk. Useful read or write access with limited blast radius — typically scoped to a namespace or requiring significant additional conditions to escalate.
T3Low risk. Mostly read-only enumeration. Useful for reconnaissance but does not directly enable privilege escalation.
How to Use
- →Browse or search permissions in Permission Reference to understand the risk tier of each verb/resource combination.
- →Click any permission row to see attack steps, affected Kubernetes versions, and CVE references.
- →Use the escalation paths toggle to focus only on the permissions that lead to privilege escalation.
- →Check Built-in Roles to see which default ClusterRoles carry high-risk permissions and what to watch out for.
Source: kubernetes.io/docs/reference/access-authn-authz/rbac