Lateral movement

Controller of pods with administrator-like permissions in namespace scope

Risk Level

Hazardous (3)

Platform(s)
  • N/A

Compliance Frameworks

Description

Controllers are responsible for pods state using a declaration of pod definition. Pods utilize a service account associated with them to communicate with the Kubernetes API, and that service account is mounted by default to any newly created containers. Orca has detected that the Controller {K8sController} creates pods with a service account which has administrative (all verbs on all resources) privileges in the {K8sController.PodSpec.Namespace} namespace. An attacker with access to the pods container can extract the service account token and impersonate to it in order to use its privileged permissions to access Kubernetes API and perform any arbitrary actions on it that is scoped to {K8sController.PodSpec.Namespace} namespace.
  • Recommended Mitigation

    Consider changing {K8sController}'s role according to the least privilege principle.