catalog logoThe IAM Privilege Catalog

services / Google Cloud / Kubernetes Engine Services

Services provide a stable network endpoint for one or more pods, allowing them to be accessed by other pods or external clients.

Services control how your Kubernetes Pods are exposed on the Kubernetes network.

container.​services.​proxy

Allows an attacker to interact with your application as if they were inside the Kubernetes cluster. Creates a proxy server or between localhost and a specified service running on Kubernetes. This service can be a kube-system service started by Kubernetes and retrieved by the `kubectl cluster-info` command or a user-defined Service object. The resulting proxy allows sending payloads to the targeted Service which otherwise would be unreachable. This is different from the `kubectl proxy` command which creates a proxy for the Kubernetes API server - this endpoint acts like a bastion and exposes the user-defined application endpoints of a Service.

Risks

  1. Data exfiltration (CRITICAL)
  2. Data manipulation (HIGH)
  3. Lateral movement (BOOST)
  4. Network movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​services-​networking/​service
  • https:​/​/​kubernetes.​io/​docs/​reference/​generated/​kubernetes-​api/​v1.​26/​#​create-​connect-​proxy-​service-​v1-​core
  • https:​/​/​kubernetes.​io/​docs/​concepts/​cluster-​administration/​proxies/​

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog