services / Google Cloud / Kubernetes Engine Clusters

Manages Kubernetes clusters on Google Kubernetes Engine

One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.

container.​clusters.​create

Allows creating a new Kubernetes cluster. Also requires access to a Compute Engine service account. By default, GKE uses the Compute Engine default service account, and cluster creation fails unless the user has the `iam.serviceAccounts.actAs` permission to the service account.

Risks

1. Resource hijacking (MEDIUM)
2. Spend (MEDIUM)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.