Back to all scenarios
Scenario #292
Security
Kubernetes v1.24, EKS

Escalation via Editable Validating WebhookConfiguration

User with edit rights on a validating webhook modified it to bypass critical security policies.

Find this helpful?
What Happened

An internal user reconfigured the webhook to always return allow, disabling cluster-wide security checks.

Diagnosis Steps
  • 1Detected anomaly: privileged pods getting deployed.
  • 2Checked webhook configuration history in GitOps.
  • 3Verified that failurePolicy: Ignore and static allow logic were added.
Root Cause

Lack of control over webhook configuration permissions.

Fix/Workaround
• Restricted access to ValidatingWebhookConfiguration objects.
• Added checksums to webhook definitions in GitOps.
Lessons Learned

Webhooks must be tightly controlled to preserve cluster security.

How to Avoid
  • 1Lock down RBAC access to webhook configurations.
  • 2Monitor changes with alerts and diff checks.
Previous ScenarioNext Scenario