services / Google Cloud / Deployments

Control Kubernetes Deployment objects.

Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods running within a Deployment. Applications can scale, load balance, and seamlessly handle changes in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.


container.​deployments.​getScale

Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale` subresource which returns the number of desired replicas in the Deployment. The `deployments.get` permission already includes the ability to read this subresource.

Risks

Scope: LOW

This privilege allows access to data that are not meant to be public, but are otherwise not sensitive.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​workloads/​controllers/​deployment/​
  • https:​/​/​github.​com/​kubernetes/​community/​blob/​master/​contributors/​devel/​sig-​architecture/​api-​conventions.​md#​types-​kinds
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog