Node proxy access (Kubelet API)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1014 |
| Name | Node proxy access (Kubelet API) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | nodes/proxy |
| Verbs | get, create, update, patch, delete |
| Tags | ClusterAdminAccess CodeExecution DataExposure LateralMovement NodeAccess (+1 more) |
Description
Provides direct access to the Kubelet API on any node in the cluster. This is equivalent to cluster admin access, allowing an attacker to run commands on nodes, access pod logs, execute commands in containers, and retrieve sensitive information directly from the nodes, leading to full cluster compromise.
Abuse Scenarios
- Access Kubelet healthz endpoint on a node via proxy.
kubectl proxy &
curl -s http://localhost:8001/api/v1/nodes/<node-name>/proxy/healthz
# Example: curl -s http://localhost:8001/api/v1/nodes/minikube/proxy/healthz
- List all pods running on a specific node via Kubelet API.
kubectl proxy &
curl -s http://localhost:8001/api/v1/nodes/<node-name>/proxy/pods/
# Example: curl -s http://localhost:8001/api/v1/nodes/minikube/proxy/pods/
- Retrieve logs from a specific container on a node via Kubelet API.
kubectl proxy &
curl -s http://localhost:8001/api/v1/nodes/<node-name>/proxy/containerLogs/<namespace>/<pod-name>/<container-name>
# Example: curl -s http://localhost:8001/api/v1/nodes/minikube/proxy/containerLogs/kube-system/coredns-xxxx-yyyy/coredns