Manage RuntimeClasses
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1059 |
| Name | Manage RuntimeClasses |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | node.k8s.io |
| Resources | runtimeclasses |
| Verbs | create, update, patch, delete |
| Tags | NodeAccess PotentialPrivilegeEscalation PrivilegeEscalation Tampering |
Description
Grants control over RuntimeClasses, which define different container runtime configurations. A malicious RuntimeClass could specify a compromised runtime or allow for escape to the underlying node, leading to node access, tampering, and privilege escalation.
Abuse Scenarios
- Create a new RuntimeClass pointing to a malicious or non-existent handler.
kubectl create -f - <<EOF
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: malicious-runtime
handler: malicious-handler
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete an existing RuntimeClass, potentially disrupting workloads using it.
kubectl delete runtimeclass <runtimeclass-name>
# Example: kubectl delete runtimeclass kata