services / Google Cloud / Jobs
A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete, by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes. Jobs are typically used for batch processes, report generation or maintenance tasks.
The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose the data on that volume to attackers.
container.jobs.list
Allows listing all Jobs in a namespace.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security