Kubernetes admins face a new security challenge due to a vulnerability in the telemetry feature. Security researcher Graham Helton discovered that users with read-only permissions can execute arbitrary commands on any pod within a cluster. This issue arises from a service account’s access to the nodes/proxy GET resource, which monitoring tools commonly use. Helton initially reported this as a bug, but it was labeled as intended behavior, meaning it won’t trigger a CVE alert. The flaw lies in how a GET request can escalate to remote code execution, stemming from a mismatch in authorization logic. Helton identified 69 tools that rely on this access for data retrieval. If an attacker can reach a node’s Kubelet on port 10250, they could execute any command, potentially compromising the entire cluster, steal service account tokens, or manipulate control plane pods. Notably, Kubernetes AuditPolicy fails to log these actions, leaving no trace of the breach. Experts are calling for immediate action. Edera's Jed Salazar emphasizes the changing landscape of Kubernetes workloads, which now include sensitive applications like AI training and healthcare systems. He recommends several precautions: auditing RBAC policies for nodes/proxy permissions, assessing the necessity of direct kubelet access for monitoring tools, implementing network policies to restrict access, and preparing for the upcoming KEP-2862 fine-grained permissions. The potential impact of this vulnerability is significant, especially for those using multitenant Kubernetes environments.