Cluster-wide pod exec
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1000 |
| Name | Cluster-wide pod exec |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | pods/exec |
| Verbs | create |
| Tags | ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement |
Description
Allows executing commands within any pod across the entire cluster. This provides direct shell access to running containers, enabling code execution, lateral movement, and potential privilege escalation by compromising sensitive workloads or accessing node resources.
Abuse Scenarios
- Execute a non-interactive command inside a specific pod.
kubectl exec <pod-name> -n <namespace> -- ls -la /
# Example: Execute 'whoami' in a coredns pod
# kubectl exec coredns-xxxx-yyyy -n kube-system -- whoami
- Obtain an interactive shell inside a specific pod.
kubectl exec -it <pod-name> -n <namespace> -- sh
# If 'sh' is not available, try 'bash' or 'ash'
# kubectl exec -it <pod-name> -n <namespace> -- bash
# Example: Get a shell in a coredns pod
# kubectl exec -it coredns-xxxx-yyyy -n kube-system -- sh