The IAM Privilege Catalogservices / Google Cloud / DaemonSets
Control Kubernetes DaemonSets objects.
DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.
container.daemonSets.getStatus
Equivalent to `daemonSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}` resource.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Contributed by P0 Security