services / Google Cloud / APIServices

API Services provide a way to advertise a Kubernetes API that is implemented across multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes extensions and custom resources. It also provides a way to specify the resource schema for a custom resource, which enables client-side validation and discovery of resources.

API Services can be used to track the availability and health of API servers and extensions in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.


container.​apiServices.​create

Together with the ability to deploy a new Kubernetes service in the cluster an attacker can configure an APIService to expose that new service with custom authentication settings which opens a backdoor to the cluster.

Risks

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Contributed by P0 Security

© 2023–present P0 Security and contributors to the IAM Privilege Catalog