services / Kubernetes / ReplicaSets
Control Kubernetes ReplicaSet objects.
ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.
apps/replicasets.getScale
Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale` subresource which returns the number of desired replicas in the ReplicaSet. The `replicaSets.get` permission already includes the ability to read this subresource.
Risks
Scope: LOW
This privilege allows access to data that are not meant to be public, but are otherwise not sensitive.
Contributed by P0 Security