All posts
September 9, 20251 min read

Kubectl Privilege Escalation: From Read-Only to Cluster Admin in a Single Command

Privilege escalation in Kubernetes through kubectl is not theory. It happens. One misconfigured RoleBinding, one overlooked ServiceAccount, and the entire security model collapses. The simplicity of kubectl makes it powerful, but in the wrong context, it’s the shortest path from user to cluster admin. Attackers exploit kubectl privilege escalation by chaining permissions in ways that are easy to miss during audits. Even when RBAC seems locked down, a single exec or impersonate verb on sensitive

Free White Paper

Privilege Escalation Prevention + Read-Only Root Filesystem: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Privilege escalation in Kubernetes through kubectl is not theory. It happens. One misconfigured RoleBinding, one overlooked ServiceAccount, and the entire security model collapses. The simplicity of kubectl makes it powerful, but in the wrong context, it’s the shortest path from user to cluster admin.

Attackers exploit kubectl privilege escalation by chaining permissions in ways that are easy to miss during audits. Even when RBAC seems locked down, a single exec or impersonate verb on sensitive resources is enough to bypass restrictions. Misuse of kubectl commands like kubectl exec, kubectl create, or kubectl apply can lead to running arbitrary code inside pods, mounting secrets, or reconfiguring high-privilege workloads.

The danger lies in the intersection of kubectl’s broad functionality and the complexity of Kubernetes role-based access controls. A user allowed to create Pods may spin up one with a service account token mapped from a privileged namespace. A user allowed to exec into containers can reach secret volumes. A user with get and list access to certain resources can craft YAML that elevates their permissions.

Continue reading? Get the full guide.

Privilege Escalation Prevention + Read-Only Root Filesystem: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Defensive strategy requires more than checking permissions on paper. You have to test them. You need to simulate what happens when kubectl is in the hands of a creative adversary. Zero trust in principle means verifying in practice. Forensic logging of kubectl actions, least privilege enforcement, and regular RBAC reviews are all part of closing the gap.

kube-apiserver logs and admission controllers help detect escalation attempts. PodSecurityPolicies (or their replacements) can gate dangerous behaviors. Tight segmentation between namespaces and restricting kubectl access to production clusters reduces blast radius.

Real security is not won by assuming RBAC works; it’s proven by active verification. That’s why running real privilege escalation tests against a live cluster matters. It makes hidden risks visible.

You can see kubectl privilege escalation play out in your own environment without waiting for a breach. With hoop.dev, you can spin up a safe, isolated cluster in minutes and witness how small permissions become big problems. Then you can fix them—before someone else finds them.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts