Limit pod-create verb
Description
Permission to create pods should be limited to deployment controllers, not user accounts.
⚠️ Risk Impact
Pod-create on user accounts enables direct creation of malicious pods. Workloads should be created by Deployments/StatefulSets/Jobs, not directly.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Audit RBAC for users with verb 'create' on resource 'pods'. Replace with controller-create patterns. Use admission policy.
💀 Real-World Attack Scenario
An engineer with pod-create permission was phished. Attacker used the credentials to create a malicious pod with cluster-admin SA token mounted — established persistent K8s footprint.
💰 Cost of Non-Compliance
Privilege escalation via pod-create: enables broader breach.
📋 Audit Questions
- 1.Users with pod-create permission?
- 2.Justified?
- 3.Controller-create pattern used?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Wildcard verb grants pod-create
- ⛔Direct kubectl run patterns common
- ⛔No admission policy
📈 Business Value
Restricting pod-create limits privilege-escalation paths.
⏱️ Effort Estimate
RBAC audit
EchelonGraph audits pod-create grants
🔗 Cross-Framework References
Automate CIS Kubernetes 5.1.8 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →