Manage StorageClasses

Overview

Description

Grants permission to create, update, or delete StorageClasses. StorageClasses define how dynamic provisioning of persistent volumes occurs. Tampering with StorageClasses can lead to denial of service (e.g., by making storage provisioning fail) or misconfiguration of storage resources.

Abuse Scenarios

1. Create a new StorageClass that points to a non-existent or malicious provisioner.

kubectl create -f - <<EOF
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: malicious-storage
provisioner: non-existent.provisioner.example.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF
# Example: kubectl create -f - <<EOF ... EOF

2. Delete an existing StorageClass, preventing new volume provisioning.

kubectl delete storageclass <storageclass-name>
# Example: kubectl delete storageclass standard