Manage StatefulSets cluster-wide
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1037 |
| Name | Manage StatefulSets cluster-wide |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | apps |
| Resources | statefulsets |
| Verbs | create, update, patch, delete |
| Tags | Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
Description
Grants permission to create, update, or delete StatefulSets across all namespaces. Similar to Deployments, this can be used to deploy pods (often stateful applications) with privileged configurations, leading to privilege escalation, persistence, and tampering.
Abuse Scenarios
- Create a new StatefulSet with a privileged pod template.
kubectl create -n <namespace> -f - <<EOF
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: privileged-statefulset
spec:
serviceName: "privileged-service"
replicas: 1
selector:
matchLabels:
app: privileged-sts
template:
metadata:
labels:
app: privileged-sts
spec:
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
securityContext:
privileged: true
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Scale a critical StatefulSet to zero replicas, causing data inconsistency or DoS.
kubectl scale statefulset <statefulset-name> -n <namespace> --replicas=0
# Example: kubectl scale statefulset my-database -n production --replicas=0