Threat Model

Karpenter observes Kubernetes pods and launches nodes in response to those pods’ scheduling constraints. Karpenter does not perform the actual scheduling and instead waits for kube-scheduler to schedule the pods.

When running in AWS, Karpenter is typically installed onto EC2 instances that run in EKS Clusters. Karpenter relies on public facing AWS APIs and standard IAM Permissions. Karpenter uses AWS-SDK-Go v1, and AWS advises that credentials are provided using IAM Roles for Service Accounts.

Architecture & Actors

  1. Cluster Operator: An identity that installs and configures Karpenter in a Kubernetes cluster, and configures Karpenter’s cloud identity and permissions.
  2. Cluster Developer: An identity that can create pods, typically through Deployments, DaemonSets, or other pod-controller types.
  3. Karpenter Controller: The Karpenter application pod that operates inside a cluster.



Cluster Operator

The Cluster Operator has full control over Kubernetes resources to install and configure Karpenter, its CRDs, and Provisioners and NodeTemplates. The Cluster Operator has privileges to manage the cloud identities and permissions for Nodes, and the cloud identity and permissions for Karpenter.

Cluster Developer

A Cluster Developer has the ability to create pods via Deployments, ReplicaSets, StatefulSets, Jobs, etc. This assumes that the Cluster Developer cannot modify the Karpenter pod or launch pods using Karpenter’s service account and gain access to Karpenter’s IAM role.

Karpenter Controller

Karpenter has permissions to create and manage cloud instances. Karpenter has Kubernetes API permissions to create, update, and remove nodes, as well as evict pods. For a full list of the permissions, see the RBAC rules in the helm chart template. Karpenter also has AWS IAM permissions to create instances with IAM roles.


GenericThe Karpenter pod is operated on a node in the cluster, and uses a Service Account for authentication to the Kubernetes APICluster Operators may want to isolate the node running the Karpenter pod to a system-pool of nodes to mitigate the possibility of container breakout with Karpenter’s permissions.
GenericCluster Developer does not have any Kubernetes permissions to manage Karpenter running in the cluster (The deployment, pods, clusterrole, etc)
GenericRestrictions on the fields of pods a Cluster Developer can create are out of scope.Cluster Operators can use policy frameworks to enforce restrictions on Pod capabilities
GenericNo sensitive data is included in non-Secret resources in the Kubernetes API. The Karpenter controller has the ability to list all pods, nodes, deployments, and many other pod-controller and storage resource types.Karpenter does not have permission to list/watch cluster-wide ConfigMaps or Secrets
GenericKarpenter has permissions to create, modify, and delete nodes from the cluster, and evict any pod.Cluster Operators running applications with varying security profiles in the same cluster may want to configure dedicated nodes and scheduling rules for Karpenter to mitigate potential container escapes from other containers
AWS-SpecificThe Karpenter IAM policy is encoded in the GitHub repo. Any additional permissions possibly granted to that role by the administrator are out of scope
AWS-SpecificThe Karpenter pod uses IRSA for AWS credentialsSetup of IRSA is out of scope for this document

Generic Threats and Mitigations

Threat: Cluster Developer can influence creation of an arbitrary number of nodes

Background: Karpenter creates new instances based on the count of pending pods.

Threat: A Cluster Developer attempts to have Karpenter create more instances than intended by creating a large number of pods or by using anti-affinity to schedule one pod per node.

Mitigation: In addition to Kubernetes resource limits, Cluster Operators can configure limits on a Provisioner to limit the total amount of memory, CPU, or other resources provisioned across all nodes.

AWS-Specific Threats

Threat: Using EC2 CreateTag/DeleteTag Permissions to Orchestrate Machine Creation/Deletion

Background: As of v0.28.0, Karpenter creates a mapping between CloudProvider machines and CustomResources in the cluster for capacity tracking. To ensure this mapping is consistent, Karpenter utilizes the following tag keys:


Any user that has the ability to Create/Delete tags on CloudProvider machines will have the ability to orchestrate Karpenter to Create/Delete CloudProvider machines as a side effect.

In addition, as of v0.29.0, Karpenter will Drift on Security Groups and Subnets. If a user has the Create/Delete tags permission for either of resources, they can orchestrate Karpenter to Create/Delete CloudProvider machines as a side effect.

Threat: A Cluster Operator attempts to create or delete a tag on a resource discovered by Karpenter. If it has the ability to create a tag it can effectively create or delete CloudProvider machines associated with the tagged resources.

Mitigation Cluster Operators should enforce tag-based IAM policies on these tags against any EC2 instance resource (i-*) for any users that might have CreateTags/DeleteTags permissions but should not have RunInstances/TerminateInstances permissions.

Threat: Launching EC2 instances with IAM roles not intended for Karpenter nodes

Background: Many IAM roles in an AWS account may trust the EC2 service principal. IAM administrators must grant the iam:PassRole permission to IAM principals to allow those principals in the account to launch instances with specific roles.

Threat: A Cluster Operator attempts to create a Node Template with an IAM role not intended for Karpenter

Mitigation: Cluster Operators must enumerate the roles in the resource section of the IAM policy granted to the Karpenter role for the iam:PassRole action.

Threat: Karpenter can be used to create or terminate EC2 instances outside of the cluster

Background: EC2 instances can exist in an AWS account outside of the Kubernetes cluster.

Threat: An actor who obtains control of the Karpenter pod’s IAM role may be able to create or terminate EC2 instances not part of the Kubernetes cluster managed by Karpenter.

Mitigation: Karpenter creates instances with tags, several of which can be enforced in the IAM policy granted to the Karpenter IAM role that restrict the instances Karpenter can terminate. One tag can require that the instance was provisioned by a Karpenter controller, another tag can include a cluster name to mitigate any termination between two clusters with Karpenter in the same account. Cluster Operators also can restrict the region to prevent two clusters in the same account with the same name in different regions.

Threat: Karpenter launches an EC2 instance using an unintended AMI

Background: Cluster Developers can create Node Templates that refer to an AMI by metadata, such as a name rather than an AMI resource ID.

Threat: A threat actor creates a public AMI with the same name as a customer’s AMI in an attempt to get Karpenter to select the threat actor’s AMI instead of the intended AMI.

Mitigation: When selecting AMIs by name or tags, Karpenter defaults to adding an ownership filter of self,amazon so AMI images external to the account are not used.

Last modified September 27, 2023: Stable Release updates Release v0.31.0. (3c87bc61)