Manage PersistentVolumes (cluster-wide storage manipulation)
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1017 |
| Name | Manage PersistentVolumes (cluster-wide storage manipulation) |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | persistentvolumes |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] · [deletecollection] |
| Tags | DataExposure DataLoss DenialOfService StorageManipulation Tampering |
Description
Permits creating, updating, patching, or deleting PersistentVolumes across the cluster. This allows manipulation of cluster-wide storage, potentially leading to data exposure by accessing sensitive data, data loss by deleting volumes, tampering with stored information, or denial of service.
Abuse Scenarios
- Create a new PersistentVolume with hostPath to access node filesystem.
kubectl create -f - <<EOF
apiVersion: v1
kind: PersistentVolume
metadata:
name: hostpath-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
hostPath:
path: /
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete an existing PersistentVolume, potentially causing data loss.
kubectl delete pv <persistentvolume-name>
# Example: kubectl delete pv my-app-pv