Static pods in Kubernetes are managed directly by the Kubelet daemon on each node, bypassing the Kubernetes API, which introduces specific security risks. Since static pods operate independently of the API, unauthorized access to the static-pod directory could allow an attacker to manipulate critical components of the cluster, especially within the control plane.
Control Over the Control Plane: Static pods, such as those in the kube-system namespace (except CNI pods), play a crucial role in maintaining the cluster’s control plane. If an attacker gains write access to the static-pod directory, they could control the control plane, leading to a full cluster compromise.
Worker Node Exploitation: Even if an attacker cannot take over the entire cluster, access to a worker node could allow them to create static pods using the Kubelet. This enables unauthorized operations, such as deploying malicious software (e.g., cryptominers) without API access.
To mitigate these risks, it is essential to secure static pod directories and restrict access to them.
