Manage ephemeral containers cluster-wide
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1020 |
| Name | Manage ephemeral containers cluster-wide |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | pods/ephemeralcontainers |
| Verbs | update, patch |
| Tags | CodeExecution ElevationOfPrivilege LateralMovement Tampering WorkloadExecution |
Description
Permits adding or modifying ephemeral containers in any pod across the cluster. This is highly risky as it allows injecting arbitrary code into running pods, facilitating code execution, lateral movement, tampering with live applications, and privilege escalation.
Abuse Scenarios
- Add an ephemeral debug container to a running pod to gain shell access.
kubectl debug -it <pod-name> -n <namespace> --image=busybox --target=<container-name> -- sh
# Example: kubectl debug -it my-app-pod -n default --image=nicolaka/netshoot --target=my-app-container -- sh