Use privileged PodSecurityPolicy (deprecated)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1078 |
| Name | Use privileged PodSecurityPolicy (deprecated) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | policy, extensions |
| Resources | podsecuritypolicies |
| Verbs | use |
| Tags | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation |
Description
Allows a user/service account to use a specific PodSecurityPolicy (PSP) that may grant excessive privileges (e.g., hostPath mounts, privileged mode). If the PSP is overly permissive, this leads to direct privilege escalation by creating pods that use it. (Note: PSPs are deprecated in 1.21 and removed in 1.25).
Abuse Scenarios
- Create a pod that attempts to use a privileged PodSecurityPolicy.
# This command will succeed if a privileged PSP is available and the user has 'use' permission on it.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: psp-privileged-pod
spec:
containers:
- name: attacker
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
securityContext:
privileged: true # This requires a PSP that allows privileged containers
restartPolicy: Never
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF