services / Kubernetes / ReplicaSets

Control Kubernetes ReplicaSet objects.

ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.


apps/​replicasets.​getScale

Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale` subresource which returns the number of desired replicas in the ReplicaSet. The `replicaSets.get` permission already includes the ability to read this subresource.

Risks

Scope: LOW

This privilege allows access to data that are not meant to be public, but are otherwise not sensitive.

Contributed by P0 Security

© 2023–present P0 Security and contributors to the IAM Privilege Catalog