services / Google Cloud / Kubernetes Engine ReplicaSets

Control Kubernetes ReplicaSet objects in a given cluster.

ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.

container.​replicaSets.​update

Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.

Risks

1. Data exfiltration (CRITICAL)
2. Infrastructure destruction (HIGH)
3. Network destruction (HIGH)
4. Lateral movement (BOOST)
5. Network movement (BOOST)
6. Resource hijacking (MEDIUM)
7. Spend (MEDIUM)

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.