Modify node configuration (labels, taints)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1015 |
| Name | Modify node configuration (labels, taints) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | nodes |
| Verbs | patch, update |
| Tags | DenialOfService NodeAccess PotentialPrivilegeEscalation Tampering |
Description
Allows modifying node configurations, such as labels and taints, across the cluster. This can be abused to influence pod scheduling, potentially forcing sensitive workloads onto compromised nodes or causing denial of service by misconfiguring taints. It can also be a step towards privilege escalation.
Abuse Scenarios
- Add a label to a node to influence scheduling or identify for attack.
kubectl label node <node-name> <label-key>=<label-value>
# Example: kubectl label node minikube compromised=true
- Add a taint to a node to prevent new pods from being scheduled on it (DoS).
kubectl taint node <node-name> <taint-key>=<taint-value>:<effect>
# Example: kubectl taint node minikube NoSchedule=true:NoSchedule