Manage ServiceAccounts cluster-wide
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1067 |
| Name | Manage ServiceAccounts cluster-wide |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | serviceaccounts |
| Verbs | create, update, patch, delete |
| Tags | IdentityManagement PotentialPrivilegeEscalation Tampering |
Description
Allows creating, updating, or deleting ServiceAccounts in any namespace. This can be used to create SAs, then bind them to privileged roles (if other RBAC permissions allow), or modify existing SAs, potentially interfering with workload identities.