The Backup for GKE agent requires full privileges to read and write every object in the cluster.
The version of the agent that runs in GKE cluster versions prior to 1.24 is a preview version released in February 2022 that runs as a workload in the GKE user cluster. Users or workloads with root access to the underlying node on which the Backup for GKE Pod is scheduled, such as through Pod hostpath mounts or SSH, can gain these root-in-cluster privileges.
This node-to-cluster escalation vulnerability is addressed in the generally available (GA) version of the agent, which was released in November 2022. The GA agent runs on an inaccessible host in the GKE control plane and is only available in clusters running GKE version 1.24 or later. To avoid the potential for a node-to-cluster escalation, we highly recommend that you run Backup for GKE only for GKE clusters running version 1.24 or later.
New installations of the preview agent will be blocked starting on April 27th 2023.