Manage DaemonSets cluster-wide (runs on all nodes, high impact)

Overview

Field	Value
ID	1035
Name	Manage DaemonSets cluster-wide (runs on all nodes, high impact)
Risk Category	Elevation of Privilege
Risk Level	Critical
Role Type	ClusterRole
API Groups	apps
Resources	daemonsets
Verbs	create, update, patch, delete
Tags	NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle

Description

Permits creating, updating, or deleting DaemonSets across the cluster. DaemonSets ensure a pod runs on all (or selected) nodes. This is highly critical as it allows deploying privileged pods directly onto every node, leading to widespread node compromise, privilege escalation, and persistent access.