Impersonate users, groups, or service accounts (cluster-wide)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1066 |
| Name | Impersonate users, groups, or service accounts (cluster-wide) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | users, groups, serviceaccounts, userextras, uids |
| Verbs | impersonate |
| Tags | ClusterAdminAccess Impersonation PrivilegeEscalation Spoofing |
Description
Allows impersonating any user, group, or service account across the entire cluster via impersonation headers. This can be used to escalate privileges to the level of the impersonated identity, potentially gaining cluster-admin access.