Skip to content

T1098.006 Additional Container Cluster Roles

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.45 Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.3

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised.

Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.216 In these cases, this technique may be used in conjunction with Additional Cloud Roles.

Item Value
ID T1098.006
Sub-techniques T1098.001, T1098.002, T1098.003, T1098.004, T1098.005, T1098.006, T1098.007
Tactics TA0003, TA0004
Platforms Containers
Version 1.0
Created 14 July 2023
Last Modified 15 April 2025

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication Require multi-factor authentication for user accounts integrated into container clusters through cloud deployments or via authentication protocols such as LDAP or SAML.
M1018 User Account Management Ensure that low-privileged accounts do not have permissions to add permissions to accounts or to update container cluster roles.

References

  1. Amazon Web Services. (n.d.). IAM roles for service accounts. Retrieved July 14, 2023. 

  2. Google Cloud. (n.d.). Create IAM policies. Retrieved July 14, 2023. 

  3. Kuberenets. (n.d.). Using ABAC Authorization. Retrieved July 14, 2023. 

  4. Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023. 

  5. Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023. 

  6. Microsoft Azure. (2023, April 28). Access and identity options for Azure Kubernetes Service (AKS). Retrieved July 14, 2023.