Permission Reference

80 entries

Verb ⇅The Kubernetes API verb — what action is allowed. get, list, watch — read access. create, update, patch, delete — write access. bind, escalate, impersonate — privilege-specific verbs.	Resource ⇅The Kubernetes API resource targeted by the verb — e.g. pods, secrets, nodes, clusterroles.	Scope ⇅namespaced — permission applies within a single namespace only. cluster — permission applies across the entire cluster.	Tier ▲Risk tier assigned to this permission. T0 — near cluster-admin, immediate full compromise. T1 — significant escalation path with additional conditions. T2 — limited or namespaced access, indirect risk. T3 — minimal risk, mostly read-only enumeration.	Audit ⇅How much detail is written to the audit log when this action is used. None — nothing logged. Metadata — who did it and when, but not the data. Request — includes what was sent. RequestResponse — logs everything including the full response. For secrets, actual values appear in the log.	Escalation ⇅Number of known privilege escalation paths this permission enables. Click a row to expand and see the attack steps.
impersonate	users	cluster	T0	RequestResponse	1 path	▼
impersonate	groups	cluster	T0	RequestResponse	1 path	▼
impersonate	serviceaccounts	cluster	T0	RequestResponse	1 path	▼
escalate	clusterroles	cluster	T0	RequestResponse	1 path	▼
bind	clusterroles	cluster	T0	RequestResponse	1 path	▼
create	clusterrolebindings	cluster	T0	RequestResponse	1 path	▼
patch	clusterrolebindings	cluster	T0	RequestResponse	1 path	▼
create	clusterroles	cluster	T0	RequestResponse	2 paths	▼
update	clusterroles	cluster	T0	RequestResponse	2 paths	▼
create	daemonsets	namespaced	T0	RequestResponse	1 path	▼
list	secrets	cluster	T0	RequestResponse	1 path	▼
watch	secrets	cluster	T0	RequestResponse	1 path	▼
get	nodes/proxy	cluster	T0	RequestResponse	2 paths	▼
create	nodes	cluster	T0	RequestResponse	1 path	▼
create	mutatingwebhookconfigurations	cluster	T0	RequestResponse	1 path	▼
create	certificatesigningrequests	cluster	T0	RequestResponse	1 path	▼
create	apiservices	cluster	T0	RequestResponse	1 path	▼
create	podsecuritypolicies	cluster	T0	RequestResponse	1 path	▼
delete	podsecuritypolicies	cluster	T0	RequestResponse	1 path	▼
escalate	roles	namespaced	T1	RequestResponse	1 path	▼
bind	roles	namespaced	T1	RequestResponse	1 path	▼
create	rolebindings	namespaced	T1	RequestResponse	1 path	▼
patch	rolebindings	namespaced	T1	RequestResponse	1 path	▼
create	roles	namespaced	T1	RequestResponse	1 path	▼
create	pods	namespaced	T1	Request	6 paths	▼
update	daemonsets	namespaced	T1	Request	1 path	▼
create	deployments	namespaced	T1	Request	2 paths	▼
create	statefulsets	namespaced	T1	Request	2 paths	▼
create	replicasets	namespaced	T1	Request	2 paths	▼
create	jobs	namespaced	T1	Request	2 paths	▼
create	cronjobs	namespaced	T1	Request	2 paths	▼
update	deployments	namespaced	T1	Request	1 path	▼
update	statefulsets	namespaced	T1	Request	1 path	▼
create	pods/exec	namespaced	T1	RequestResponse	1 path	▼
create	pods/attach	namespaced	T1	RequestResponse	1 path	▼
create	pods/ephemeralcontainers	namespaced	T1	RequestResponse	1 path	▼
get	secrets	namespaced	T1	RequestResponse	2 paths	▼
create	serviceaccounts/token	namespaced	T1	RequestResponse	1 path	▼
patch	serviceaccounts	namespaced	T1	RequestResponse	3 paths	▼
update	pods/status	namespaced	T1	Request	1 path	▼
get	pods/proxy	namespaced	T1	Request	1 path	▼
patch	nodes	cluster	T1	RequestResponse	1 path	▼
delete	mutatingwebhookconfigurations	cluster	T1	RequestResponse	1 path	▼
create	validatingwebhookconfigurations	cluster	T1	RequestResponse	1 path	▼
delete	validatingwebhookconfigurations	cluster	T1	RequestResponse	1 path	▼
update	certificatesigningrequests/approval	cluster	T1	RequestResponse	1 path	▼
create	persistentvolumes	cluster	T1	Request	1 path	▼
create	persistentvolumeclaims	namespaced	T1	Request	1 path	▼
patch	namespaces	cluster	T1	Request	1 path	▼
delete	namespaces	cluster	T1	Request		▼
update	configmaps	namespaced	T1	RequestResponse	2 paths	▼
create	endpointslices	namespaced	T1	Request	1 path	▼
create	endpoints	namespaced	T1	Request	1 path	▼
create	ingresses	namespaced	T1	Request		▼
create	services	namespaced	T1	RequestResponse	1 path	▼
patch	services	namespaced	T1	RequestResponse	1 path	▼
patch	pods	namespaced	T2	Request	1 path	▼
create	pods/portforward	namespaced	T2	Request		▼
create	secrets	namespaced	T2	RequestResponse		▼
create	serviceaccounts	namespaced	T2	RequestResponse	2 paths	▼
get	nodes/log	cluster	T2	Request	1 path	▼
create	customresourcedefinitions	cluster	T2	Request	1 path	▼
create	storageclasses	cluster	T2	Request		▼
get	configmaps	namespaced	T2	Request		▼
delete	networkpolicies	namespaced	T2	RequestResponse	1 path	▼
get	services/proxy	namespaced	T2	Request	1 path	▼
create	tokenreviews	cluster	T2	Request		▼
create	subjectaccessreviews	cluster	T2	Request		▼
create	selfsubjectaccessreviews	cluster	T3	None		▼
get	pods/log	namespaced	T3	Metadata		▼
get	nodes	cluster	T3	Metadata	1 path	▼
list	nodes	cluster	T3	Metadata	1 path	▼
get	pods	namespaced	T3	Metadata		▼
list	pods	namespaced	T3	Metadata		▼
list	serviceaccounts	namespaced	T3	Metadata		▼
list	clusterroles	cluster	T3	Metadata		▼
list	clusterrolebindings	cluster	T3	Metadata		▼
list	namespaces	cluster	T3	Metadata		▼
get	services	namespaced	T3	Metadata		▼
list	events	namespaced	T3	None		▼