--- title: "Restrict Escalation Verbs Roles" diataxis: reference applies_to: product: "kyverno" audience: ["platform-engineer","devsecops"] last_updated: 2026-03-25 url: https://docs.nirmata.io/docs/policy-sets/rbac_best_practices/restrict-escalation-verbs-roles/ --- ### Description The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources. ### Risks Risks associated with `bind`, `escalate`, and `impersonate` verbs: Bind Verb The `bind` verb poses a risk because it allows users to create or modify role bindings, granting themselves or others access to permissions that they do not already have. If an unauthorized user gains this ability, they can escalate their privileges by binding roles with broad permissions, and allow themselves to have unauthorized access to sensitive resources. Escalate Verb A user with `escalate` privileges can modify the roles or cluster roles that are assigned to them and increase the level of privileges they have. An attacker can exploit this to perform unintended actions in the cluster. Impersonate Verb The `impersonate` verb allows a user to act as another user, group, or service account. This capability is sensitive, as it can lead to security breaches. If an attacker can impersonate a user with elevated privileges, they can execute actions on behalf of that user and negatively impact the cluster. ### Kyverno Policy Refer to the Nirmata curated policies - [restrict-escalation-verbs-roles](https://github.com/nirmata/kyverno-policies/blob/main/rbac-best-practices/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml). #### Resource Example Below is an example of a `ClusterRole` resource that does not include any of the escalation verbs. ```bash apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: goodcr01 rules: - apiGroups: [""] resources: ["pods", "namespaces"] verbs: ["get", "watch", "list"] - apiGroups: ["rbac.authorization.k8s.io", "apps"] resources: ["deployments", "roles"] verbs: ["get", "watch", "list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles"] verbs: ["update", "watch", "list"] ``` Below is an example of a `Role` resource that does not include any of the escalation verbs. ```bash apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: goodrole01 rules: - apiGroups: [""] resources: ["pods", "namespaces"] verbs: ["get", "watch", "list"] - apiGroups: ["rbac.authorization.k8s.io", "apps"] resources: ["deployments", "roles"] verbs: ["get", "watch", "list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles"] verbs: ["update", "watch", "list"] ```text