Cluster State Manipulation

cluster-state-manipulation

Attacker directly modifies cluster state in etcd, bypassing Kubernetes API server admission controllers and RBAC to create privileged workloads, modify RBAC rules, or corrupt cluster configuration

TamperingElevation of Privilege

MITRE ATT&CK techniques

ID	Name	Tactic
T1565	Data Manipulation	Impact
T1078	Valid Accounts	Defense Evasion

Common Weakness Enumeration

CWE-269
CWE-345

Mitigating controls

ctrl-clusterstate-1: Restrict direct etcd access to only the Kubernetes API server
ctrl-clusterstate-2: Require mutual TLS (mTLS) for all etcd client connections
ctrl-clusterstate-3: Run etcd on dedicated nodes with no other workloads
ctrl-clusterstate-4: Enable etcd audit logging and monitor for direct API access
ctrl-clusterstate-5: Implement network policies to isolate etcd from pod network

References

https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/
https://www.cisecurity.org/benchmark/kubernetes