services / Google Cloud / Kubernetes Jobs
A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete, by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes. Jobs are typically used for batch processes, report generation or maintenance tasks.
The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose the data on that volume to attackers.
container.jobs.create
Jobs tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the Job is present. Jobs run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload with service account privileges. Persistent Volumes may be attached to jobs, meaning data can be exposed to the Kubernetes workload.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security