Manage CustomResourceDefinitions
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1045 |
| Name | Manage CustomResourceDefinitions |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | apiextensions.k8s.io |
| Resources | customresourcedefinitions |
| Verbs | create, update, patch, delete |
| Tags | CRDManipulation PotentialPrivilegeEscalation Tampering |
Description
Permits creating, updating, or deleting CustomResourceDefinitions (CRDs). CRDs extend the Kubernetes API. Modifying CRDs can lead to tampering with custom controllers, potentially causing unexpected behavior, privilege escalation if controllers manage sensitive resources, or denial of service.
Abuse Scenarios
- Create a new CustomResourceDefinition for a malicious custom resource.
kubectl create -f - <<EOF
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: maliciousconfigs.attacker.com
spec:
group: attacker.com
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
scope: Namespaced
names:
plural: maliciousconfigs
singular: maliciousconfig
kind: MaliciousConfig
shortNames: ["mc"]
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete an existing CustomResourceDefinition, disrupting custom controllers.
kubectl delete crd <crd-name>
# Example: kubectl delete crd applications.argoproj.io