Details

Obtaining the impersonate users/groups permission will allow an attacker to execute K8s API actions on behalf of another user, including those with cluster-admin rights, and other highly privileged users.

Prerequisites

Ability to interrogate the K8s API with a role allowing impersonate access to users and/or groups.

See the example pod spec .

Checks

Simply ask kubectl:

kubectl auth can-i impersonate users
kubectl auth can-i impersonate groups
Exploitation
Execute any action in the K8s API impersonating a privileged group (e.g system:masters) or user using the syntax:
$ kubectl <verb> <noun> -as=null -as-group=system:masters -o json | jq
Defences
Monitoring
Monitoring the follow-on activity from user impersonation may be a more fruitful endeavour.
Implement least privilege access
Impersonating users is a very powerful privilege and should not be required by the majority of users. Use an automated tool such a KubeHound to search for any risky permissions and users in the cluster and look to eliminate them.
Calculation
IdentityImpersonate
IdentityImpersonateNamespace
References:
Official Kubernetes Documentation: Authenticating
Securing Kubernetes Clusters by Eliminating Risky Permissions