services / Kubernetes / StatefulSets
Control Kubernetes StatefulSets objects.
StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.
apps/statefulsets.update
An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in StatefulSets may cause disruption to stateful services, depending on the behavior of the stateful service in a scaling event. Scaling may drain the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Contributed by P0 Security