services / Google Cloud / DaemonSets
Control Kubernetes DaemonSets objects.
DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.
container.daemonSets.update
An update may let an attacker change the container image that is running inside pods. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services. Since DaemonSet runs a pod on multiple nodes, DaemonSets are especially great for a complete cluster takeover. Secondly, DaemonSet pods drain the limited resources available to other Kubernetes workloads.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Contributed by P0 Security