Manage DaemonSets in a namespace (runs on nodes, high impact)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1036 |
| Name | Manage DaemonSets in a namespace (runs on nodes, high impact) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | apps |
| Resources | daemonsets |
| Verbs | create, update, patch, delete |
| Tags | NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
Description
Allows creating, updating, or deleting DaemonSets within a specific namespace. Even if namespaced, DaemonSets can be configured to run on multiple nodes, and if they deploy privileged pods, this can lead to node compromise, privilege escalation, and persistence.