Information
Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required. Each of these permissions allow a particular subject to escalate their privileges beyond those explicitly granted by cluster administrators
The impersonate privilege allows a subject to impersonate other users gaining their rights to the cluster. The bind privilege allows the subject to add a binding to a cluster role or role which escalates their effective permissions in the cluster. The escalate privilege allows a subject to modify cluster roles to which they are bound, increasing their rights to that level.
Each of these permissions has the potential to allow for privilege escalation to cluster-admin level.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Where possible, remove the impersonate, bind and escalate rights from subjects.
Impact:
There are some cases where these permissions are required for cluster service operation, and care should be taken before removing these permissions from system service accounts.