Create pods in a namespace
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1007 |
| Name | Create pods in a namespace |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | core |
| Resources | pods |
| Verbs | create |
| Tags | LateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution |
Description
Grants permission to create new pods within a specific namespace. This can lead to privilege escalation if allowed to create pods with hostPath mounts, privileged security context, or access to sensitive service accounts within that namespace. It also enables workload execution and potential persistence.
Abuse Scenarios
- Create a pod with a hostPath mount to access node files within the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: hostpath-pod
spec:
containers:
- name: hostpath-container
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- mountPath: /host-etc
name: host-etc
volumes:
- name: host-etc
hostPath:
path: /etc
EOF
# Example: kubectl create -n development -f - <<EOF ... EOF
- Create a pod that uses a specific service account in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: sa-test-pod
spec:
serviceAccountName: <serviceaccount-name>
containers:
- name: test-container
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF (using 'default' SA)