Manage Leases cluster-wide
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1080 |
| Name | Manage Leases cluster-wide |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | coordination.k8s.io |
| Resources | leases |
| Verbs | create, update, patch, delete, get, list |
| Tags | ControlPlaneDisruption DenialOfService LeaderElectionAbuse Tampering |
Description
Allows managing Lease objects across all namespaces. Leases are used for leader election by control plane components and controllers. Tampering with leases can disrupt critical cluster operations, cause denial of service, or potentially force a malicious controller to become a leader.
Abuse Scenarios
- List all Lease objects across all namespaces.
kubectl get leases --all-namespaces
- Delete a critical Lease object (e.g., for a controller), causing disruption.
kubectl delete lease <lease-name> -n <namespace>
# Example: kubectl delete lease kube-controller-manager -n kube-system