As an attacker, you are going to search for powerful accounts. However, it is difficult to know the answer to the question "what rights does this account have?" just by natively using the API. Fortunately, a useful tool has been coded by Fairwinds (written in golang so it can be downloaded as a statically compiled binary) that simplifies this process: https://github.com/FairwindsOps/rbac-lookup

Service Account Interesting "Attacker" Permissions Role/Cluster Role Binding Extract Details

kube-system:bootstrap-signer

Can get secrets in kube-system namespace

"apiGroups": [""],"resources": ["secrets"],"verbs": ["get","list","watch"

kube-system:clusterrole-aggregation-controller

Can do everything!

"apiGroups": ["*"],"resources": ["*"],"verbs": ["*"]

kube-system:daemon-set-controller

Can create pods

"apiGroups": [""],"resources": ["pods"],"verbs": ["create","delete","list","patch","watch"]