Stay organized with collections
Save and categorize content based on your preferences.
Standard
The Backup for GKE agent
requires full privileges to read and write every object in the cluster.
The version of the agent that runs in GKE cluster versions
prior to 1.24 is a preview version released in February 2022 that runs as a
workload in the GKE user cluster. Users or workloads with root
access to the underlying node on which the Backup for GKE Pod is scheduled,
such as through Pod hostpath mounts or SSH, can gain these root-in-cluster
privileges.
This node-to-cluster escalation vulnerability is addressed in the generally
available (GA) version of the agent, which was released in November 2022. The GA
agent runs on an inaccessible host in the GKE control plane and
is only available in clusters running GKE version 1.24 or later.
To avoid the potential for a node-to-cluster escalation, we highly recommend
that you run Backup for GKE only for GKE clusters running
version 1.24 or later.
New installations of the preview agent will be blocked starting on April 27th 2023.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-12 UTC."],[],[],null,[]]
