services / Google Cloud / Kubernetes Engine StatefulSets

Control Kubernetes StatefulSets objects in a given cluster.

StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.

container.​statefulSets.​getScale

Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale` subresource which returns the number of desired replicas in the StatefulSet. The `container.statefulSets.get` permission already includes the ability to read this subresource.

Risks

1. Infrastructure discovery (LOW)

Scope: LOW

This privilege allows access to data that are not meant to be public, but are otherwise not sensitive.