Manage Leases in kube-system or kube-node-lease namespace
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1081 |
| Name | Manage Leases in kube-system or kube-node-lease namespace |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | coordination.k8s.io |
| Resources | leases |
| Verbs | create, update, patch, delete |
| Tags | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Description
Allows managing Lease objects in critical namespaces like ‘kube-system’ or ‘kube-node-lease’. This is highly critical as it can disrupt core Kubernetes components, lead to node instability, or denial of service.
Abuse Scenarios
- Delete a critical Lease object in the ‘kube-system’ namespace.
kubectl delete lease <lease-name> -n kube-system
# Example: kubectl delete lease kube-scheduler -n kube-system
- Update a Lease object to extend its holder identity, potentially hijacking leadership.
# This is complex and requires knowing the current lease holder and its acquireTime.
# It's more of an API interaction than a simple kubectl command.
# Example: kubectl patch lease <lease-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/spec/holderIdentity", "value": "malicious-controller"}]'
kubectl patch lease <lease-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/spec/holderIdentity", "value": "malicious-controller"}]'