Misunderstandings of how the `LIST` and `WATCH` permissions work in kubernetes
RichardoC opened this issue · comments
How/where should I add some docs regarding this?
I've seen this be done incorrectly a few times and would like to contribute a doc about it.
Third party example write ups
Why list is a scary permission on k8s
Kubernetes security recommendations for developers
I think a great spot for how LIST and WATCH permissions work and associated attack scenarios would be here - https://github.com/OWASP/www-project-kubernetes-top-ten/blob/main/2022/en/src/K03-overly-permissive-rbac.md
You can add a new "Attack Scenario" then we can review collectively. This section definitely needs some more detail!