Manage VolumeAttachments (Cluster-wide Storage/Node Manipulation)
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1102 |
| Name | Manage VolumeAttachments (Cluster-wide Storage/Node Manipulation) |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | storage.k8s.io |
| Resources | volumeattachments |
| Verbs | create, update, patch, delete, get, list, watch |
| Tags | DataExposure DenialOfService NodeAccess PotentialPrivilegeEscalation StorageManipulation (+1 more) |
Description
Allows managing VolumeAttachment objects cluster-wide. VolumeAttachments link persistent volumes to nodes. Control over these can allow an attacker to detach volumes from nodes (DoS), potentially attach volumes to attacker-controlled nodes (data theft), or interfere with legitimate storage operations.
Abuse Scenarios
- List all VolumeAttachments in the cluster.
kubectl get volumeattachments
- Delete a VolumeAttachment, potentially detaching a volume and causing disruption.
kubectl delete volumeattachment <volumeattachment-name>
# Example: kubectl delete volumeattachment pvc-12345-node-minikube