Manage ephemeral containers in a namespace
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1021 |
| Name | Manage ephemeral containers in a namespace |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | core |
| Resources | pods/ephemeralcontainers |
| Verbs | update, patch |
| Tags | CodeExecution LateralMovement PotentialPrivilegeEscalation Tampering WorkloadExecution |
Description
Allows adding or modifying ephemeral containers in pods within a specific namespace. This enables injecting code into running pods in that namespace, potentially leading to code execution, lateral movement, tampering, and privilege escalation if sensitive pods are targeted.
Abuse Scenarios
- Add an ephemeral debug container to a running pod within the namespace.
kubectl debug -it <pod-name> -n <namespace> --image=busybox --target=<container-name> -- sh
# Example: kubectl debug -it my-db-pod -n production --image=alpine/git --target=db-container -- bash