services / Google Cloud / StatefulSets

Control Kubernetes StatefulSets objects.

StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.

container.​statefulSets.​updateScale

If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in StatefulSets may disrupt stateful service and/or drain the limited resources available to other Kubernetes workloads.

Risks

1. Infrastructure destruction (HIGH)
2. Resource hijacking (MEDIUM)
3. Spend (MEDIUM)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.