services / Google Cloud / Jobs

A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete, by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes. Jobs are typically used for batch processes, report generation or maintenance tasks.

The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose the data on that volume to attackers.


container.​jobs.​getStatus

Equivalent to `jobs.get`. Allows reading the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}` resource.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​workloads/​controllers/​job
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog