services / Google Cloud / Kubernetes Engine DaemonSets

Control Kubernetes DaemonSets objects in a given cluster.

DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.

container.​daemonSets.​create

Creation of DaemonSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. The code will execute with service account privileges, leading to new permissions that may allow access to other GCP services. Secondly, creating DaemonSets drains the limited resources available to other Kubernetes workloads.

Risks

1. Lateral movement (BOOST)
2. Network movement (BOOST)
3. Resource hijacking (MEDIUM)
4. Spend (MEDIUM)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.